Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ#20252502QJ.exe

Overview

General Information

Sample name:RFQ#20252502QJ.exe
Analysis ID:1623573
MD5:b048461f46446b776770bc549b298ef9
SHA1:c990b9f07d31d4943303f764618b0f494a93a3ff
SHA256:ceb2439ede02213d08dbb5cf64ade11b7f5558a5234e544a0c53cfa337f6860f
Tags:exeuser-abuse_ch
Infos:

Detection

Discord Token Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Discord Token Stealer
Yara detected Generic Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ#20252502QJ.exe (PID: 4092 cmdline: "C:\Users\user\Desktop\RFQ#20252502QJ.exe" MD5: B048461F46446B776770BC549B298EF9)
    • powershell.exe (PID: 6508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1264 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6976 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 1096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 2876 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • lNIfJeZzNfEXku.exe (PID: 5012 cmdline: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe MD5: B048461F46446B776770BC549B298EF9)
    • schtasks.exe (PID: 5560 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 6444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2200998451.00000000057D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.MSBuild.exe.57d0000.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ#20252502QJ.exe", ParentImage: C:\Users\user\Desktop\RFQ#20252502QJ.exe, ParentProcessId: 4092, ParentProcessName: RFQ#20252502QJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", ProcessId: 6508, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ#20252502QJ.exe", ParentImage: C:\Users\user\Desktop\RFQ#20252502QJ.exe, ParentProcessId: 4092, ParentProcessName: RFQ#20252502QJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", ProcessId: 6508, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe, ParentImage: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe, ParentProcessId: 5012, ParentProcessName: lNIfJeZzNfEXku.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp", ProcessId: 5560, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ#20252502QJ.exe", ParentImage: C:\Users\user\Desktop\RFQ#20252502QJ.exe, ParentProcessId: 4092, ParentProcessName: RFQ#20252502QJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", ProcessId: 6976, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ#20252502QJ.exe", ParentImage: C:\Users\user\Desktop\RFQ#20252502QJ.exe, ParentProcessId: 4092, ParentProcessName: RFQ#20252502QJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe", ProcessId: 6508, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ#20252502QJ.exe", ParentImage: C:\Users\user\Desktop\RFQ#20252502QJ.exe, ParentProcessId: 4092, ParentProcessName: RFQ#20252502QJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp", ProcessId: 6976, ProcessName: schtasks.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: RFQ#20252502QJ.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeAvira: detection malicious, Label: HEUR/AGEN.1310954
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: RFQ#20252502QJ.exeVirustotal: Detection: 45%Perma Link
              Source: RFQ#20252502QJ.exeReversingLabs: Detection: 55%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeUnpacked PE file: 0.2.RFQ#20252502QJ.exe.350000.0.unpack
              Source: RFQ#20252502QJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49748 version: TLS 1.0
              Source: RFQ#20252502QJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 4x nop then jmp 0A429CA9h0_2_0A429570
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 4x nop then jmp 0A4990A9h10_2_0A498970

              Networking

              barindex
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 69.61.84.211 ports 13650,0,1,3,5,6
              Uses dynamic DNS services
              Source: unknownDNS query: name: hottie1.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.5:49708 -> 69.61.84.211:13650
              Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
              Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
              Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49748 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: hottie1.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: 233.75.3.0.in-addr.arpa
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2152709770.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RFQ#20252502QJ.exe, 00000000.00000002.2152709770.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, lNIfJeZzNfEXku.exe, 0000000A.00000002.2213334316.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://icanhazip.com/
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003431000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003431000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacl
              Source: MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacx
              Source: MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2260732376.000000000AA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003431000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003431000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary

              barindex
              .NET source code contains very large array initializations
              Source: 0.2.RFQ#20252502QJ.exe.44083d0.5.raw.unpack, tyOEnDb6X5k2O1jSJ7.csLarge array initialization: PvFv8Jk2A: array initializer size 360640
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: RFQ#20252502QJ.exe
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB9DBC NtQueryInformationProcess,0_2_00BB9DBC
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BBA391 NtQueryInformationProcess,0_2_00BBA391
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02809DBC NtQueryInformationProcess,10_2_02809DBC
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280A391 NtQueryInformationProcess,10_2_0280A391
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB08D10_2_00BB08D1
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BBA1680_2_00BBA168
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB13B00_2_00BB13B0
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB1BF90_2_00BB1BF9
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB35180_2_00BB3518
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB85690_2_00BB8569
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB26110_2_00BB2611
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BBEFD80_2_00BBEFD8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB58F80_2_00BB58F8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB58E80_2_00BB58E8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB88280_2_00BB8828
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB88180_2_00BB8818
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB50680_2_00BB5068
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB50590_2_00BB5059
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BBA1580_2_00BBA158
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB13200_2_00BB1320
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB5B700_2_00BB5B70
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB5B610_2_00BB5B61
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB53580_2_00BB5358
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BBFCE00_2_00BBFCE0
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB341F0_2_00BB341F
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB34080_2_00BB3408
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB44700_2_00BB4470
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB44600_2_00BB4460
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB95100_2_00BB9510
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB5D410_2_00BB5D41
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB56D80_2_00BB56D8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB56C80_2_00BB56C8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB8E700_2_00BB8E70
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB8E6C0_2_00BB8E6C
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_096A14A70_2_096A14A7
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_096A14B80_2_096A14B8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A424B480_2_0A424B48
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A4230380_2_0A423038
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A4238A80_2_0A4238A8
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A4234700_2_0A423470
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A4254E00_2_0A4254E0
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0BAD42A00_2_0BAD42A0
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0BAD36B80_2_0BAD36B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0184110B8_2_0184110B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_018411188_2_01841118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_031F2B688_2_031F2B68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_031F2B498_2_031F2B49
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05820C008_2_05820C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058240288_2_05824028
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05821CA88_2_05821CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05820F378_2_05820F37
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058470908_2_05847090
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058462388_2_05846238
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05845F188_2_05845F18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058418508_2_05841850
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058490108_2_05849010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058490208_2_05849020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058462278_2_05846227
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05845F098_2_05845F09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058595188_2_05859518
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05859C2B8_2_05859C2B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058548888_2_05854888
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05858D0F8_2_05858D0F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058595088_2_05859508
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05858D338_2_05858D33
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05858D508_2_05858D50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05858D608_2_05858D60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058594C08_2_058594C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058594D78_2_058594D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05858CF08_2_05858CF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0585961F8_2_0585961F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_058548788_2_05854878
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB47B88_2_05DB47B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB81D08_2_05DB81D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DBA0B08_2_05DBA0B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB53D08_2_05DB53D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB1FC08_2_05DB1FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB81C08_2_05DB81C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB21188_2_05DB2118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB20BC8_2_05DB20BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DBA0A08_2_05DBA0A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB60488_2_05DB6048
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB23248_2_05DB2324
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB220C8_2_05DB220C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB4B008_2_05DB4B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB12DA8_2_05DB12DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB12E88_2_05DB12E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DBBCF88_2_05DBBCF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DBBCE78_2_05DBBCE7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB1FB08_2_05DB1FB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0629BEB88_2_0629BEB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0629D2888_2_0629D288
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028013B010_2_028013B0
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02801BFB10_2_02801BFB
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028008D110_2_028008D1
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280A16810_2_0280A168
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280A6B810_2_0280A6B8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280261310_2_02802613
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280351810_2_02803518
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280856910_2_02808569
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280535810_2_02805358
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02805B6110_2_02805B61
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02805B7010_2_02805B70
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028058F810_2_028058F8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280881810_2_02808818
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280882810_2_02808828
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280505B10_2_0280505B
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280506810_2_02805068
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028056C810_2_028056C8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028056D810_2_028056D8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02808E6B10_2_02808E6B
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02808E7010_2_02808E70
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280340810_2_02803408
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280341F10_2_0280341F
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280446010_2_02804460
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280447010_2_02804470
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0280951010_2_02809510
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_02805D4110_2_02805D41
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_099E14B810_2_099E14B8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_099E14AA10_2_099E14AA
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A49AC9010_2_0A49AC90
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A493A2810_2_0A493A28
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A4931B810_2_0A4931B8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A49566010_2_0A495660
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A494CC810_2_0A494CC8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A4935DF10_2_0A4935DF
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A4935F010_2_0A4935F0
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0B80C88810_2_0B80C888
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0B8042A010_2_0B8042A0
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0B8036B810_2_0B8036B8
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0B80E95910_2_0B80E959
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0B803BC810_2_0B803BC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_02F917D213_2_02F917D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_02F9111813_2_02F91118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_02F9110B13_2_02F9110B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_03152B6813_2_03152B68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_03152B4913_2_03152B49
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_059E0C0013_2_059E0C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_059E1CA813_2_059E1CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_059E0F3713_2_059E0F37
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0709013_2_05A07090
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0623813_2_05A06238
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A05F1813_2_05A05F18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0193813_2_05A01938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0902013_2_05A09020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0901013_2_05A09010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A0622813_2_05A06228
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A05F0913_2_05A05F09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1951813_2_05A19518
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A194C013_2_05A194C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A19C2B13_2_05A19C2B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1488813_2_05A14888
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1950813_2_05A19508
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A18D0F13_2_05A18D0F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A18D6013_2_05A18D60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A18D5013_2_05A18D50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A18CF013_2_05A18CF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1945013_2_05A19450
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1961F13_2_05A1961F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A1487813_2_05A14878
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063847B813_2_063847B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638A0B013_2_0638A0B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063881D013_2_063881D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063853D013_2_063853D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06381FC013_2_06381FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638232413_2_06382324
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638604813_2_06386048
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063820BC13_2_063820BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638A0A013_2_0638A0A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638211813_2_06382118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063881C013_2_063881C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06384B0013_2_06384B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063812A213_2_063812A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063812E813_2_063812E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063812DA13_2_063812DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06381F3B13_2_06381F3B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06381FB013_2_06381FB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638BCF813_2_0638BCF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0638BCE713_2_0638BCE7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0655952E13_2_0655952E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06551DD813_2_06551DD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06551DC813_2_06551DC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0657BEB813_2_0657BEB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0657D28813_2_0657D288
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0660BFC013_2_0660BFC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06603AA313_2_06603AA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06603B1513_2_06603B15
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_066073D313_2_066073D3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0660AE5513_2_0660AE55
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06603F3F13_2_06603F3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0660C27313_2_0660C273
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06603B7A13_2_06603B7A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06607BDC13_2_06607BDC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF9C8213_2_06CF9C82
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFA46013_2_06CFA460
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFA4E13_2_06CFFA4E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFF98813_2_06CFF988
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFCFA013_2_06CFCFA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF1F4213_2_06CF1F42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF1D8013_2_06CF1D80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFC59013_2_06CFC590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF1D9013_2_06CF1D90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF1D9013_2_06CF1D90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFD4F13_2_06CFFD4F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFA50C13_2_06CFA50C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF9D2C13_2_06CF9D2C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF2A4013_2_06CF2A40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFA3613_2_06CFFA36
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF2A3113_2_06CF2A31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFEB9013_2_06CFEB90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFEB9013_2_06CFEB90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF43B913_2_06CF43B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFEB6113_2_06CFEB61
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFB0B13_2_06CFFB0B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFB1713_2_06CFFB17
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF207B13_2_06CF207B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF203613_2_06CF2036
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFF97813_2_06CFF978
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF892B13_2_06CF892B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF512913_2_06CF5129
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2149009842.0000000000A4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2158951456.0000000009400000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000000.2100224474.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFNsp.exe. vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2159248751.000000000A360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2152709770.0000000002870000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2152709770.0000000002C84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRufqlamwezn.exe" vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exe, 00000000.00000002.2154744578.0000000004000000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exeBinary or memory string: OriginalFilenameFNsp.exe. vs RFQ#20252502QJ.exe
              Source: RFQ#20252502QJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: RFQ#20252502QJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: lNIfJeZzNfEXku.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, hq9mTPYyfvLx3wtGHp.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, KBq8SpnR8F8b5xlTgO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/12@3/1
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile created: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMutant created: \Sessions\1\BaseNamedObjects\hNHPfNlQlXDTHnTFnRPoFL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\626640710bceb8a9
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5264.tmpJump to behavior
              Source: RFQ#20252502QJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: RFQ#20252502QJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: MSBuild.exe, 00000008.00000002.2193405275.000000000354B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.000000000352D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000034A2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003486000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: RFQ#20252502QJ.exeVirustotal: Detection: 45%
              Source: RFQ#20252502QJ.exeReversingLabs: Detection: 55%
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile read: C:\Users\user\Desktop\RFQ#20252502QJ.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ#20252502QJ.exe "C:\Users\user\Desktop\RFQ#20252502QJ.exe"
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: RFQ#20252502QJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: RFQ#20252502QJ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: RFQ#20252502QJ.exeStatic file information: File size 1163776 > 1048576
              Source: RFQ#20252502QJ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11b800
              Source: RFQ#20252502QJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeUnpacked PE file: 0.2.RFQ#20252502QJ.exe.350000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeUnpacked PE file: 0.2.RFQ#20252502QJ.exe.350000.0.unpack
              .NET source code contains potential unpacker
              Source: 0.2.RFQ#20252502QJ.exe.401baa0.6.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, hq9mTPYyfvLx3wtGHp.cs.Net Code: MZTfgMei1D System.Reflection.Assembly.Load(byte[])
              Source: 0.2.RFQ#20252502QJ.exe.291fc30.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.RFQ#20252502QJ.exe.9400000.8.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, hq9mTPYyfvLx3wtGHp.cs.Net Code: MZTfgMei1D System.Reflection.Assembly.Load(byte[])
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, hq9mTPYyfvLx3wtGHp.cs.Net Code: MZTfgMei1D System.Reflection.Assembly.Load(byte[])
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 8.2.MSBuild.exe.57d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2200998451.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR
              Source: RFQ#20252502QJ.exeStatic PE information: 0x89C54A9C [Tue Mar 31 09:51:24 2043 UTC]
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_00BB60CD push dword ptr [eax-45B00DBBh]; retf 0_2_00BB60E4
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_096A6A00 pushfd ; ret 0_2_096A6A09
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_096A8362 push esp; iretd 0_2_096A8369
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_096A8308 push esp; iretd 0_2_096A8369
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeCode function: 0_2_0A42C98D push FFFFFF8Bh; iretd 0_2_0A42C98F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_01844863 push esp; iretd 8_2_01844869
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0584C487 push ecx; ret 8_2_0584C48D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0584C46B push ecx; ret 8_2_0584C479
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_0585779F push eax; ret 8_2_058577AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB0007 pushad ; ret 8_2_05DB0015
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB4AF5 pushad ; retf 8_2_05DB4AFD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05DB1E73 pushad ; retf 8_2_05DB1E81
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_05E04245 pushfd ; ret 8_2_05E04246
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 8_2_062934FA pushad ; retf 8_2_062934FD
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_028060CD push dword ptr [eax-45B00DBBh]; retf 10_2_028060E4
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_099E7098 push eax; ret 10_2_099E7099
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_099E8492 push eax; retf 10_2_099E8499
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeCode function: 10_2_0A49BB4C push FFFFFF8Bh; iretd 10_2_0A49BB57
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_02F94863 push esp; iretd 13_2_02F94869
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_05A177AC push eax; ret 13_2_05A177AD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06384AF5 pushad ; retf 13_2_06384AFD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_063812A2 push 5D6B6D0Ah; ret 13_2_063812B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06558170 push eax; iretd 13_2_06558175
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_065734FA pushad ; retf 13_2_065734FD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0660EC3A push es; retf 13_2_0660EC3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06600A7D push ebx; iretd 13_2_06600A8A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_0660BB8A push es; ret 13_2_0660BB8C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06608160 push es; ret 13_2_06608220
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CF4ED7 push ecx; iretd 13_2_06CF4ED8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFF604 pushad ; iretd 13_2_06CFF605
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 13_2_06CFFE10 pushad ; ret 13_2_06CFFE11
              Source: RFQ#20252502QJ.exeStatic PE information: section name: .text entropy: 7.607226564215582
              Source: lNIfJeZzNfEXku.exe.0.drStatic PE information: section name: .text entropy: 7.607226564215582
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, mcHUmjCKjnGNcYIIeG.csHigh entropy of concatenated method names: 'grmQPDitb8', 'x9KQRX4cwQ', 'KOnQChKJov', 'DwhQbCeFWv', 'Xd0Q9QHTjE', 'kEKQuwvKAn', 'MFTQZbGGox', 'A2eQicV8Ig', 'nScQ4afvKJ', 'TRxQ0wcJLh'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, kpwEmpACePkyEQ5ZF9.csHigh entropy of concatenated method names: 'jbyIUHLqnb', 'SkBIwwrdlq', 'HbTIkoC3UQ', 'UjSIBWw5ZS', 'F5nIYhbqIb', 'jS0kMYKlEk', 'QATkTLgUgi', 'RvhkXSETkh', 'luPk1J45jA', 'U6wkKaUe9Q'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, XAP9Ux9YFJU2feh0Pt.csHigh entropy of concatenated method names: 'McIHft029lxifwVMaUZ', 'lf2yQj0ZN3lyI2YOx24', 'hy7IElpKie', 'aT8IVD4TYy', 'Q1WIWCASPF', 'CrGDar07i25yssbv7Ob', 'yS6x2q0XsdpEhumrUAg'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, IYEIgswuagPv6HnFaM.csHigh entropy of concatenated method names: 'Dispose', 'HfGrK5BA2s', 'GLJe9Rp3Zj', 'W8DVJoGZpN', 'HOKr5JBfrm', 'KaXrzdiDAa', 'ProcessDialogKey', 'H14eyuexwl', 'k23erV1Z1a', 'IIheeGWEre'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, qZcmb4XcOufG5BA2s9.csHigh entropy of concatenated method names: 'o8kVQyuWnd', 'wgaVhHIcjq', 'DNOVVeF82b', 'hotVdHeaf2', 'HBdVDSl2mR', 'r18Vvarr83', 'Dispose', 'umQEO0Bu7y', 'FU1EwybIoS', 'h7GEj4ku5Y'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, F4oVSvryCgNEyU6CkYV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zaPWsmXfxj', 'l0CWR1BFbt', 'JeCWF32ZKu', 'epKWC5Vwq5', 'ksVWbQqSW9', 'lPOWty6KO5', 'BALW2C7i3Z'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, I5wrKuGGpAlphxppDJ.csHigh entropy of concatenated method names: 'ltqkJFG3Q0', 'UCCk8qRUmm', 'JfxjuLovpH', 'G2ijZVaj4f', 'iutjiGhe7M', 'r2Yj4qD7Wk', 'oFnj0W3Awf', 'KiCjLB5YaI', 'T7Rj7RAmcQ', 'AKBjPjlaGB'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, k6Acl6zafGysJhyYe8.csHigh entropy of concatenated method names: 'zJYWq3HJId', 'tfmWnCfItD', 'Ud4WxJe6VZ', 'Vg0WAcuQEZ', 'tY2W9IVQoM', 'MRTWZLZGBu', 'YswWiCN3dG', 'mQWWvNCQxf', 'S3NWlcigMn', 'oc8WSGbvyh'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, Nb9fl6rrv0fAucnN5IF.csHigh entropy of concatenated method names: 'WhQW52ccxT', 'bmkWzZorv1', 'K13dyYs4ue', 'PEgdrBEld1', 'vOWdeGmlkI', 'bbLdNpsw4H', 'Srrdfiy8CM', 'zbOdU1ZFIW', 'cswdOwffhO', 'BYIdwsYIb0'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, c7EYksTh1HvuDQW4Qm.csHigh entropy of concatenated method names: 'J2hh1QL09l', 'jYkh57Zmas', 'nk9Ey8IYed', 'q1yErn1EYx', 'W1shsp332V', 'aOYhR7WP9u', 'pIjhFq5lJJ', 'pNHhC6eI0i', 'HF7hbSVrVL', 'vH7htkVtME'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, y5nZXU0aqv8LThrqCb.csHigh entropy of concatenated method names: 'Bm5BObosl1', 'lIUBjqk7rf', 'U98BI5IV08', 'v61I50TV8G', 'cyZIzF82Rn', 'h6xByyfD33', 'lXMBrQeNUa', 'TXdBeggPu9', 'gihBNysO9S', 'zosBfuKdKj'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, stjK8Pt5u33feVQrhA.csHigh entropy of concatenated method names: 'ToString', 'HkuHshOuVy', 'MggH9uDTHX', 'VvKHu9gyCY', 'NCSHZ6rHsh', 'tBQHib9iD8', 'JKMH4nWg8U', 'x8mH0bmng0', 'eWYHLs0HWA', 'Gu1H7Tu3aO'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, QPHQAQxOAqKR7PvXf8.csHigh entropy of concatenated method names: 'HThjaXIWr1', 'JcijqbZyZD', 'TUrjna0dk3', 'Gxojx7pAtQ', 'agxjQhQX4C', 'rTpjHBnc6I', 'qCBjhGHlE4', 'cSEjE2IRKI', 'LhwjVyesdK', 'we7jW0WSjB'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, nURVvWfaTISyK6YtRW.csHigh entropy of concatenated method names: 'jh4rBBq8Sp', 'P8FrY8b5xl', 'oOAr6qKR7P', 'wXfrc8Z5wr', 'EpprQDJYpw', 'rmprHCePky', 'BOUHABm1XdMT7Anl83', 'VFxqkda6v2CyJggcxH', 'pu7rrIEn4I', 'gH3rNaTZMp'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, IX8YGu73nqHbAAfHKE.csHigh entropy of concatenated method names: 'KRbBlV4une', 'LwrBSG09Vv', 'MABBgFOudD', 'ImkBaloeKH', 'lcYBJ5WWnq', 'fJRBqoCNuy', 'WynB87hwsi', 'Td4BnVaLTK', 'E01Bx1Kuky', 'WpeBGrkMir'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, KuexwlKY23V1Z1auIh.csHigh entropy of concatenated method names: 'wVXVAteUud', 'PHtV9OFsCg', 'AAqVuR8Jdh', 'R1KVZf5wsK', 'zc7ViSvL4F', 'sUMV4qEsDg', 'eMtV0DVtb9', 'e3SVLb6u7C', 'aaoV7F9rv1', 'D91VPBmjAC'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, N3gnPBelWi1cEnC2oe.csHigh entropy of concatenated method names: 'yOZg4uK70', 'CFZa6xSK5', 'bMfqLytnH', 'X7l8WioDe', 'KNyxideHO', 'X0OGcpCTF', 'yEw5APHt6mrKDnVHfS', 'PPpHDFj1YqflK24NO4', 'yTdEuojWo', 'vPvWEVPS2'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, hq9mTPYyfvLx3wtGHp.csHigh entropy of concatenated method names: 'TVdNUc3tPw', 'E0WNOLeSiG', 'BjRNwlOF0f', 'GBqNjeakSe', 'dNRNkbmuIw', 'NhMNIYJ2eE', 'B49NBOMpgA', 'zuHNYMhji2', 'A8YNmQDmET', 'Cn7N6E7d4o'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, XnOlEZFE3oC5waEpPm.csHigh entropy of concatenated method names: 'eCronJVrno', 'dG5oxEjeTa', 'LOaoA0WWZ6', 'OMIo9kIrGi', 'kqmoZmVYsZ', 'W28oidxuSd', 'NRjo0NVEoE', 'VmuoLgYO1e', 'K3PoPyGeEJ', 'jU3osJEJFu'
              Source: 0.2.RFQ#20252502QJ.exe.42cbf90.4.raw.unpack, KBq8SpnR8F8b5xlTgO.csHigh entropy of concatenated method names: 'EuOwCkh4ft', 'QlIwb1yg0E', 'FNxwtMuSmW', 'AIww2O5DUc', 'WkSwMeg4cu', 'vA0wTTA6nn', 'oyXwXupocJ', 'UfIw1p15b8', 'UinwKLDuwl', 'jgkw5FSLxK'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, mcHUmjCKjnGNcYIIeG.csHigh entropy of concatenated method names: 'grmQPDitb8', 'x9KQRX4cwQ', 'KOnQChKJov', 'DwhQbCeFWv', 'Xd0Q9QHTjE', 'kEKQuwvKAn', 'MFTQZbGGox', 'A2eQicV8Ig', 'nScQ4afvKJ', 'TRxQ0wcJLh'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, kpwEmpACePkyEQ5ZF9.csHigh entropy of concatenated method names: 'jbyIUHLqnb', 'SkBIwwrdlq', 'HbTIkoC3UQ', 'UjSIBWw5ZS', 'F5nIYhbqIb', 'jS0kMYKlEk', 'QATkTLgUgi', 'RvhkXSETkh', 'luPk1J45jA', 'U6wkKaUe9Q'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, XAP9Ux9YFJU2feh0Pt.csHigh entropy of concatenated method names: 'McIHft029lxifwVMaUZ', 'lf2yQj0ZN3lyI2YOx24', 'hy7IElpKie', 'aT8IVD4TYy', 'Q1WIWCASPF', 'CrGDar07i25yssbv7Ob', 'yS6x2q0XsdpEhumrUAg'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, IYEIgswuagPv6HnFaM.csHigh entropy of concatenated method names: 'Dispose', 'HfGrK5BA2s', 'GLJe9Rp3Zj', 'W8DVJoGZpN', 'HOKr5JBfrm', 'KaXrzdiDAa', 'ProcessDialogKey', 'H14eyuexwl', 'k23erV1Z1a', 'IIheeGWEre'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, qZcmb4XcOufG5BA2s9.csHigh entropy of concatenated method names: 'o8kVQyuWnd', 'wgaVhHIcjq', 'DNOVVeF82b', 'hotVdHeaf2', 'HBdVDSl2mR', 'r18Vvarr83', 'Dispose', 'umQEO0Bu7y', 'FU1EwybIoS', 'h7GEj4ku5Y'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, F4oVSvryCgNEyU6CkYV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zaPWsmXfxj', 'l0CWR1BFbt', 'JeCWF32ZKu', 'epKWC5Vwq5', 'ksVWbQqSW9', 'lPOWty6KO5', 'BALW2C7i3Z'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, I5wrKuGGpAlphxppDJ.csHigh entropy of concatenated method names: 'ltqkJFG3Q0', 'UCCk8qRUmm', 'JfxjuLovpH', 'G2ijZVaj4f', 'iutjiGhe7M', 'r2Yj4qD7Wk', 'oFnj0W3Awf', 'KiCjLB5YaI', 'T7Rj7RAmcQ', 'AKBjPjlaGB'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, k6Acl6zafGysJhyYe8.csHigh entropy of concatenated method names: 'zJYWq3HJId', 'tfmWnCfItD', 'Ud4WxJe6VZ', 'Vg0WAcuQEZ', 'tY2W9IVQoM', 'MRTWZLZGBu', 'YswWiCN3dG', 'mQWWvNCQxf', 'S3NWlcigMn', 'oc8WSGbvyh'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, Nb9fl6rrv0fAucnN5IF.csHigh entropy of concatenated method names: 'WhQW52ccxT', 'bmkWzZorv1', 'K13dyYs4ue', 'PEgdrBEld1', 'vOWdeGmlkI', 'bbLdNpsw4H', 'Srrdfiy8CM', 'zbOdU1ZFIW', 'cswdOwffhO', 'BYIdwsYIb0'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, c7EYksTh1HvuDQW4Qm.csHigh entropy of concatenated method names: 'J2hh1QL09l', 'jYkh57Zmas', 'nk9Ey8IYed', 'q1yErn1EYx', 'W1shsp332V', 'aOYhR7WP9u', 'pIjhFq5lJJ', 'pNHhC6eI0i', 'HF7hbSVrVL', 'vH7htkVtME'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, y5nZXU0aqv8LThrqCb.csHigh entropy of concatenated method names: 'Bm5BObosl1', 'lIUBjqk7rf', 'U98BI5IV08', 'v61I50TV8G', 'cyZIzF82Rn', 'h6xByyfD33', 'lXMBrQeNUa', 'TXdBeggPu9', 'gihBNysO9S', 'zosBfuKdKj'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, stjK8Pt5u33feVQrhA.csHigh entropy of concatenated method names: 'ToString', 'HkuHshOuVy', 'MggH9uDTHX', 'VvKHu9gyCY', 'NCSHZ6rHsh', 'tBQHib9iD8', 'JKMH4nWg8U', 'x8mH0bmng0', 'eWYHLs0HWA', 'Gu1H7Tu3aO'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, QPHQAQxOAqKR7PvXf8.csHigh entropy of concatenated method names: 'HThjaXIWr1', 'JcijqbZyZD', 'TUrjna0dk3', 'Gxojx7pAtQ', 'agxjQhQX4C', 'rTpjHBnc6I', 'qCBjhGHlE4', 'cSEjE2IRKI', 'LhwjVyesdK', 'we7jW0WSjB'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, nURVvWfaTISyK6YtRW.csHigh entropy of concatenated method names: 'jh4rBBq8Sp', 'P8FrY8b5xl', 'oOAr6qKR7P', 'wXfrc8Z5wr', 'EpprQDJYpw', 'rmprHCePky', 'BOUHABm1XdMT7Anl83', 'VFxqkda6v2CyJggcxH', 'pu7rrIEn4I', 'gH3rNaTZMp'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, IX8YGu73nqHbAAfHKE.csHigh entropy of concatenated method names: 'KRbBlV4une', 'LwrBSG09Vv', 'MABBgFOudD', 'ImkBaloeKH', 'lcYBJ5WWnq', 'fJRBqoCNuy', 'WynB87hwsi', 'Td4BnVaLTK', 'E01Bx1Kuky', 'WpeBGrkMir'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, KuexwlKY23V1Z1auIh.csHigh entropy of concatenated method names: 'wVXVAteUud', 'PHtV9OFsCg', 'AAqVuR8Jdh', 'R1KVZf5wsK', 'zc7ViSvL4F', 'sUMV4qEsDg', 'eMtV0DVtb9', 'e3SVLb6u7C', 'aaoV7F9rv1', 'D91VPBmjAC'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, N3gnPBelWi1cEnC2oe.csHigh entropy of concatenated method names: 'yOZg4uK70', 'CFZa6xSK5', 'bMfqLytnH', 'X7l8WioDe', 'KNyxideHO', 'X0OGcpCTF', 'yEw5APHt6mrKDnVHfS', 'PPpHDFj1YqflK24NO4', 'yTdEuojWo', 'vPvWEVPS2'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, hq9mTPYyfvLx3wtGHp.csHigh entropy of concatenated method names: 'TVdNUc3tPw', 'E0WNOLeSiG', 'BjRNwlOF0f', 'GBqNjeakSe', 'dNRNkbmuIw', 'NhMNIYJ2eE', 'B49NBOMpgA', 'zuHNYMhji2', 'A8YNmQDmET', 'Cn7N6E7d4o'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, XnOlEZFE3oC5waEpPm.csHigh entropy of concatenated method names: 'eCronJVrno', 'dG5oxEjeTa', 'LOaoA0WWZ6', 'OMIo9kIrGi', 'kqmoZmVYsZ', 'W28oidxuSd', 'NRjo0NVEoE', 'VmuoLgYO1e', 'K3PoPyGeEJ', 'jU3osJEJFu'
              Source: 0.2.RFQ#20252502QJ.exe.436a1b0.7.raw.unpack, KBq8SpnR8F8b5xlTgO.csHigh entropy of concatenated method names: 'EuOwCkh4ft', 'QlIwb1yg0E', 'FNxwtMuSmW', 'AIww2O5DUc', 'WkSwMeg4cu', 'vA0wTTA6nn', 'oyXwXupocJ', 'UfIw1p15b8', 'UinwKLDuwl', 'jgkw5FSLxK'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, mcHUmjCKjnGNcYIIeG.csHigh entropy of concatenated method names: 'grmQPDitb8', 'x9KQRX4cwQ', 'KOnQChKJov', 'DwhQbCeFWv', 'Xd0Q9QHTjE', 'kEKQuwvKAn', 'MFTQZbGGox', 'A2eQicV8Ig', 'nScQ4afvKJ', 'TRxQ0wcJLh'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, kpwEmpACePkyEQ5ZF9.csHigh entropy of concatenated method names: 'jbyIUHLqnb', 'SkBIwwrdlq', 'HbTIkoC3UQ', 'UjSIBWw5ZS', 'F5nIYhbqIb', 'jS0kMYKlEk', 'QATkTLgUgi', 'RvhkXSETkh', 'luPk1J45jA', 'U6wkKaUe9Q'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, XAP9Ux9YFJU2feh0Pt.csHigh entropy of concatenated method names: 'McIHft029lxifwVMaUZ', 'lf2yQj0ZN3lyI2YOx24', 'hy7IElpKie', 'aT8IVD4TYy', 'Q1WIWCASPF', 'CrGDar07i25yssbv7Ob', 'yS6x2q0XsdpEhumrUAg'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, IYEIgswuagPv6HnFaM.csHigh entropy of concatenated method names: 'Dispose', 'HfGrK5BA2s', 'GLJe9Rp3Zj', 'W8DVJoGZpN', 'HOKr5JBfrm', 'KaXrzdiDAa', 'ProcessDialogKey', 'H14eyuexwl', 'k23erV1Z1a', 'IIheeGWEre'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, qZcmb4XcOufG5BA2s9.csHigh entropy of concatenated method names: 'o8kVQyuWnd', 'wgaVhHIcjq', 'DNOVVeF82b', 'hotVdHeaf2', 'HBdVDSl2mR', 'r18Vvarr83', 'Dispose', 'umQEO0Bu7y', 'FU1EwybIoS', 'h7GEj4ku5Y'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, F4oVSvryCgNEyU6CkYV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zaPWsmXfxj', 'l0CWR1BFbt', 'JeCWF32ZKu', 'epKWC5Vwq5', 'ksVWbQqSW9', 'lPOWty6KO5', 'BALW2C7i3Z'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, I5wrKuGGpAlphxppDJ.csHigh entropy of concatenated method names: 'ltqkJFG3Q0', 'UCCk8qRUmm', 'JfxjuLovpH', 'G2ijZVaj4f', 'iutjiGhe7M', 'r2Yj4qD7Wk', 'oFnj0W3Awf', 'KiCjLB5YaI', 'T7Rj7RAmcQ', 'AKBjPjlaGB'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, k6Acl6zafGysJhyYe8.csHigh entropy of concatenated method names: 'zJYWq3HJId', 'tfmWnCfItD', 'Ud4WxJe6VZ', 'Vg0WAcuQEZ', 'tY2W9IVQoM', 'MRTWZLZGBu', 'YswWiCN3dG', 'mQWWvNCQxf', 'S3NWlcigMn', 'oc8WSGbvyh'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, Nb9fl6rrv0fAucnN5IF.csHigh entropy of concatenated method names: 'WhQW52ccxT', 'bmkWzZorv1', 'K13dyYs4ue', 'PEgdrBEld1', 'vOWdeGmlkI', 'bbLdNpsw4H', 'Srrdfiy8CM', 'zbOdU1ZFIW', 'cswdOwffhO', 'BYIdwsYIb0'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, c7EYksTh1HvuDQW4Qm.csHigh entropy of concatenated method names: 'J2hh1QL09l', 'jYkh57Zmas', 'nk9Ey8IYed', 'q1yErn1EYx', 'W1shsp332V', 'aOYhR7WP9u', 'pIjhFq5lJJ', 'pNHhC6eI0i', 'HF7hbSVrVL', 'vH7htkVtME'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, y5nZXU0aqv8LThrqCb.csHigh entropy of concatenated method names: 'Bm5BObosl1', 'lIUBjqk7rf', 'U98BI5IV08', 'v61I50TV8G', 'cyZIzF82Rn', 'h6xByyfD33', 'lXMBrQeNUa', 'TXdBeggPu9', 'gihBNysO9S', 'zosBfuKdKj'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, stjK8Pt5u33feVQrhA.csHigh entropy of concatenated method names: 'ToString', 'HkuHshOuVy', 'MggH9uDTHX', 'VvKHu9gyCY', 'NCSHZ6rHsh', 'tBQHib9iD8', 'JKMH4nWg8U', 'x8mH0bmng0', 'eWYHLs0HWA', 'Gu1H7Tu3aO'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, QPHQAQxOAqKR7PvXf8.csHigh entropy of concatenated method names: 'HThjaXIWr1', 'JcijqbZyZD', 'TUrjna0dk3', 'Gxojx7pAtQ', 'agxjQhQX4C', 'rTpjHBnc6I', 'qCBjhGHlE4', 'cSEjE2IRKI', 'LhwjVyesdK', 'we7jW0WSjB'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, nURVvWfaTISyK6YtRW.csHigh entropy of concatenated method names: 'jh4rBBq8Sp', 'P8FrY8b5xl', 'oOAr6qKR7P', 'wXfrc8Z5wr', 'EpprQDJYpw', 'rmprHCePky', 'BOUHABm1XdMT7Anl83', 'VFxqkda6v2CyJggcxH', 'pu7rrIEn4I', 'gH3rNaTZMp'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, IX8YGu73nqHbAAfHKE.csHigh entropy of concatenated method names: 'KRbBlV4une', 'LwrBSG09Vv', 'MABBgFOudD', 'ImkBaloeKH', 'lcYBJ5WWnq', 'fJRBqoCNuy', 'WynB87hwsi', 'Td4BnVaLTK', 'E01Bx1Kuky', 'WpeBGrkMir'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, KuexwlKY23V1Z1auIh.csHigh entropy of concatenated method names: 'wVXVAteUud', 'PHtV9OFsCg', 'AAqVuR8Jdh', 'R1KVZf5wsK', 'zc7ViSvL4F', 'sUMV4qEsDg', 'eMtV0DVtb9', 'e3SVLb6u7C', 'aaoV7F9rv1', 'D91VPBmjAC'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, N3gnPBelWi1cEnC2oe.csHigh entropy of concatenated method names: 'yOZg4uK70', 'CFZa6xSK5', 'bMfqLytnH', 'X7l8WioDe', 'KNyxideHO', 'X0OGcpCTF', 'yEw5APHt6mrKDnVHfS', 'PPpHDFj1YqflK24NO4', 'yTdEuojWo', 'vPvWEVPS2'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, hq9mTPYyfvLx3wtGHp.csHigh entropy of concatenated method names: 'TVdNUc3tPw', 'E0WNOLeSiG', 'BjRNwlOF0f', 'GBqNjeakSe', 'dNRNkbmuIw', 'NhMNIYJ2eE', 'B49NBOMpgA', 'zuHNYMhji2', 'A8YNmQDmET', 'Cn7N6E7d4o'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, XnOlEZFE3oC5waEpPm.csHigh entropy of concatenated method names: 'eCronJVrno', 'dG5oxEjeTa', 'LOaoA0WWZ6', 'OMIo9kIrGi', 'kqmoZmVYsZ', 'W28oidxuSd', 'NRjo0NVEoE', 'VmuoLgYO1e', 'K3PoPyGeEJ', 'jU3osJEJFu'
              Source: 0.2.RFQ#20252502QJ.exe.a360000.9.raw.unpack, KBq8SpnR8F8b5xlTgO.csHigh entropy of concatenated method names: 'EuOwCkh4ft', 'QlIwb1yg0E', 'FNxwtMuSmW', 'AIww2O5DUc', 'WkSwMeg4cu', 'vA0wTTA6nn', 'oyXwXupocJ', 'UfIw1p15b8', 'UinwKLDuwl', 'jgkw5FSLxK'
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeFile created: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: RFQ#20252502QJ.exe PID: 4092, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lNIfJeZzNfEXku.exe PID: 5012, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: MSBuild.exe, 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: BB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 47A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 5E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 5F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: 6F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: BF70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: CF70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: D400000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: E400000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 49A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 4FB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 5FB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 60E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 70E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: B950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: C950000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: 4FB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7640Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2074Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2782Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2947Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4114Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exe TID: 3784Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -19369081277395017s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4160Thread sleep count: 3765 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38781s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4160Thread sleep count: 2782 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38671s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38562s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38453s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38343s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5840Thread sleep time: -38232s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe TID: 940Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -17524406870024063s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31874s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31765s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31654s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31547s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31422s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31309s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31203s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -31093s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4984Thread sleep time: -30983s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5656Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 39000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 38232Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 32000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31654Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31309Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31203Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 31093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 30983Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: MSBuild.exe, 0000000D.00000002.2253309210.00000000058D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKg,
              Source: MSBuild.exe, 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: MSBuild.exe, 00000008.00000002.2192613412.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: MSBuild.exe, 0000000D.00000002.2250667423.0000000004268000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45C000Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1093008Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45C000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: E76008Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Users\user\Desktop\RFQ#20252502QJ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeQueries volume information: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ#20252502QJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: MSBuild.exe, 0000000D.00000002.2237488026.0000000001384000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Yara detected Generic Stealer
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrumk
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash,
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty!
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC#
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\configigfig\Config.json
              Source: MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum!
              Source: MSBuild.exe, 00000008.00000002.2196737956.0000000004315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Yara detected Generic Stealer
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 2876, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6444, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts41
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		12
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		311
              Process Injection              		3
              Obfuscated Files or Information              		1
              Credentials in Registry              		34
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Scheduled Task/Job              		32
              Software Packing              		Security Account Manager241
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Timestomp              		NTDS1
              Process Discovery              		Distributed Component Object Model1
              Clipboard Data              		12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets51
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items51
              Virtualization/Sandbox Evasion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
              Process Injection              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623573 Sample: RFQ#20252502QJ.exe Startdate: 25/02/2025 Architecture: WINDOWS Score: 100 44 hottie1.duckdns.org 2->44 46 233.75.3.0.in-addr.arpa 2->46 48 3 other IPs or domains 2->48 52 Antivirus / Scanner detection for submitted sample 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 Multi AV Scanner detection for submitted file 2->56 60 10 other signatures 2->60 8 RFQ#20252502QJ.exe 7 2->8         started        12 lNIfJeZzNfEXku.exe 5 2->12         started        signatures3 58 Uses dynamic DNS services 44->58 process4 file5 36 C:\Users\user\AppData\...\lNIfJeZzNfEXku.exe, PE32 8->36 dropped 38 C:\...\lNIfJeZzNfEXku.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp5264.tmp, XML 8->40 dropped 42 C:\Users\user\...\RFQ#20252502QJ.exe.log, ASCII 8->42 dropped 62 Detected unpacking (changes PE section rights) 8->62 64 Detected unpacking (overwrites its own PE header) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 74 3 other signatures 8->74 14 MSBuild.exe 3 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        22 MSBuild.exe 8->22         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Writes to foreign memory regions 12->72 24 MSBuild.exe 2 12->24         started        26 schtasks.exe 1 12->26         started        signatures6 process7 dnsIp8 50 hottie1.duckdns.org 69.61.84.211, 13650, 49708, 49711 GLOBALCOMPASSUS United States 14->50 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->76 78 Tries to steal Mail credentials (via file / registry access) 14->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 14->80 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->82 84 Loading BitLocker PowerShell Module 18->84 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 88 Tries to harvest and steal Bitcoin Wallet information 24->88 34 conhost.exe 26->34         started        signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ#20252502QJ.exe46%VirustotalBrowse
              RFQ#20252502QJ.exe55%ReversingLabsWin32.Trojan.Generic
              RFQ#20252502QJ.exe100%AviraHEUR/AGEN.1310954

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe100%AviraHEUR/AGEN.1310954
              C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe55%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		high
                hottie1.duckdns.org
                		69.61.84.211
                		truetrue
                  		unknown
                  s-part-0032.t-0009.t-msedge.net
                  		13.107.246.60
                  		truefalse
                    		high
                    233.75.3.0.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ac.ecosia.org/autocomplete?q=MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabMSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/mgravell/protobuf-netiMSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                              		high
                              https://stackoverflow.com/q/14436606/23354MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/mgravell/protobuf-netJMSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoMSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/11564914/23354;MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                      		high
                                      https://stackoverflow.com/q/2152978/23354MSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchMSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://icanhazip.com/MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://discordapp.com/api/v9/users/MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/mgravell/protobuf-netMSBuild.exe, 00000008.00000002.2202721355.0000000005AC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://steamcommunity.com/profiles/MSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ#20252502QJ.exe, 00000000.00000002.2152709770.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RFQ#20252502QJ.exe, 00000000.00000002.2152709770.0000000002C84000.00000004.00000800.00020000.00000000.sdmp, lNIfJeZzNfEXku.exe, 0000000A.00000002.2213334316.00000000029A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=MSBuild.exe, 00000008.00000002.2196737956.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.0000000004208000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041EE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2250667423.00000000041AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brMSBuild.exe, 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.2193405275.0000000003431000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.mozilla.org/products/firefoxMSBuild.exe, 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2240042344.00000000033A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                69.61.84.211
                                                                		hottie1.duckdns.orgUnited States
                                                                		22653GLOBALCOMPASSUStrue

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1623573
                                                                Start date and time:2025-02-25 11:48:13 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 18s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:16
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:RFQ#20252502QJ.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@18/12@3/1
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 484
                                                                • Number of non-executed functions: 25
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212, 2.23.77.188, 52.165.164.15, 199.232.210.172, 2.16.100.168, 88.221.110.106, 13.107.246.60
                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.f.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                05:49:11API Interceptor2x Sleep call for process: RFQ#20252502QJ.exe modified
                                                                05:49:13API Interceptor13x Sleep call for process: powershell.exe modified
                                                                05:49:15API Interceptor58x Sleep call for process: MSBuild.exe modified
                                                                05:49:17API Interceptor2x Sleep call for process: lNIfJeZzNfEXku.exe modified
                                                                11:49:15Task SchedulerRun new task: lNIfJeZzNfEXku path: C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                s-part-0032.t-0009.t-msedge.netBC Indo - New Order 20253.docxGet hashmaliciousUnknownBrowse
                                                                • 13.107.246.60
                                                                33efecb7.htmGet hashmaliciousHTMLPhisherBrowse
                                                                • 13.107.246.60
                                                                nadir.ps1Get hashmaliciousXWormBrowse
                                                                • 13.107.246.60
                                                                HZRMljQv8M.exeGet hashmaliciousXWormBrowse
                                                                • 13.107.246.60
                                                                cmd.batGet hashmaliciousXWormBrowse
                                                                • 13.107.246.60
                                                                libde265.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 13.107.246.60
                                                                https://tampopo304-my.sharepoint.com/personal/t_peter_tampopo_co_uk/_layouts/15/guestaccess.aspx?share=ErD6Vn1_jHJCkzNA55SF53AB1bLxHPSyAiXwDO2SC9GB1Q&e=F2hCiyGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                • 13.107.246.60
                                                                http://aptbusinessservices.com.au/Get hashmaliciousUnknownBrowse
                                                                • 13.107.246.60
                                                                SecuriteInfo.com.Win32.DropperX-gen.18958.20206.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                • 13.107.246.60
                                                                TPS_02_2025_JKTA89495500_PDF.jsGet hashmaliciousRemcosBrowse
                                                                • 13.107.246.60
                                                                bg.microsoft.map.fastly.netPO-TS006630009-MRTUNNING.vbsGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                • 199.232.214.172
                                                                1cRfGAFurK.vbsGet hashmaliciousRemcos, GuLoader, MailPassViewBrowse
                                                                • 199.232.210.172
                                                                Johannes.berkmann Funding Approval.pdfGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                • 199.232.214.172
                                                                Payent confirmation copy 00888754087.scrGet hashmaliciousFormBookBrowse
                                                                • 199.232.210.172
                                                                susemail.pdfGet hashmaliciousUnknownBrowse
                                                                • 199.232.214.172
                                                                OGr5KUWyUv.exeGet hashmaliciousXWormBrowse
                                                                • 199.232.210.172
                                                                HZRMljQv8M.exeGet hashmaliciousXWormBrowse
                                                                • 199.232.210.172
                                                                cmd.batGet hashmaliciousXWormBrowse
                                                                • 199.232.210.172
                                                                PKOBank,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                • 199.232.210.172
                                                                PO-TS006630009-MRTUNNING.batGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                • 199.232.210.172

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                GLOBALCOMPASSUShttps://www.metamask-io-help.walletallinone.com/Get hashmaliciousUnknownBrowse
                                                                • 69.61.36.170
                                                                http://metamask-recovery.walletallinone.com/Get hashmaliciousUnknownBrowse
                                                                • 69.61.36.170
                                                                https://radiounojunin.com.ar/team/TxZWYolaXzbgOphtuFKvJEsyNUCBqHPaYdARpWsLbFQTZeNolyxXGEDOIMjn.htmlGet hashmaliciousUnknownBrowse
                                                                • 69.61.33.116
                                                                https://radiounojunin.com.ar/team/TxZWYolaXzbgOphtuFKvJEsyNUCBqHPaYdARpWsLbFQTZeNolyxXGEDOIMjn.htmlGet hashmaliciousUnknownBrowse
                                                                • 69.61.33.116
                                                                https://radiounojunin.com.ar/team/TxZWYolaXzbgOphtuFKvJEsyNUCBqHPaYdARpWsLbFQTZeNolyxXGEDOIMjn.htmlGet hashmaliciousUnknownBrowse
                                                                • 69.61.33.116
                                                                INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                • 69.61.31.229
                                                                RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                • 69.61.84.227
                                                                la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                • 66.154.2.47
                                                                File1PDF.htmlGet hashmaliciousPhisherBrowse
                                                                • 66.154.14.157
                                                                Document (3 lnk.lnkGet hashmaliciousUnknownBrowse
                                                                • 69.61.36.170

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                1138de370e523e824bbca92d049a3777http://www.cityofkingsville.com/departments/legal-department/property-tax-information/Get hashmaliciousUnknownBrowse
                                                                • 23.1.237.91
                                                                random.exeGet hashmaliciousStealc, VidarBrowse
                                                                • 23.1.237.91
                                                                jli.dll.dllGet hashmaliciousLummaC StealerBrowse
                                                                • 23.1.237.91
                                                                https://wearychallengeraise.com/gb8hzvm3x?rai=57&refer=https%3A%2F%2Fshutdownmap.pages.dev%2Fnew-dszlgp-navigating-ontario-a-comprehensive-guide-to-postal-codes-yzhyhb-pics%2F&kw=%5B%5D&key=9e9257c115e6a14c8eab78f6967b7f19&scrWidth=1280&scrHeight=720&tz=-5&v=25.2.5134&ship=&psid=shutdownmap.pages.dev,shutdownmap.pages.dev&sub3=invoke_layer&res=14.31&dev=r&adb=n&uuid=7a591512-97a9-479c-ad47-3fba577ae591%3A2%3A1&adb=nGet hashmaliciousAnonymous ProxyBrowse
                                                                • 23.1.237.91
                                                                http://lookerstudio.google.com/s/ryl1d6fWDPQGet hashmaliciousHTMLPhisherBrowse
                                                                • 23.1.237.91
                                                                PO# ENQ8864.Pdf.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                • 23.1.237.91
                                                                https://c7xp.5deldq579.ru/0gI7K8W/Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                • 23.1.237.91
                                                                3H9vQ1LeI8.jsGet hashmaliciousHTMLPhisherBrowse
                                                                • 23.1.237.91
                                                                burnova-x64.exeGet hashmaliciousAsyncRATBrowse
                                                                • 23.1.237.91
                                                                FileRecoveryProSetup.exeGet hashmaliciousAsyncRATBrowse
                                                                • 23.1.237.91

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1434
                                                                Entropy (8bit):5.342612360333169
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4TE4KmJE4j:MxHKlYHKh3oRAHKzectHo60H8HKx1qHd
                                                                MD5:DED544725C0FC4A9C1A4064260007227
                                                                SHA1:C196627F0D20E14F0240201AC995E9BEBC399C29
                                                                SHA-256:82F1B25C0D0DC1B72BFE5E837B668E0087D7E469CCCF909924B72FEC5C1C8F10
                                                                SHA-512:41A800B36C9017CB5B9D427C9AD317ACAC680FCE5FF85391497F6BE489782423B7E22A27CD7211C2E110B5465418747841A42A16C40D1A41A0CD27D192F2A7A5
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ#20252502QJ.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RFQ#20252502QJ.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.34331486778365
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
                                                                MD5:8B21C0FDF91680677FEFC8890882FD1F
                                                                SHA1:E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
                                                                SHA-256:E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
                                                                SHA-512:1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
                                                                Malicious:true
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lNIfJeZzNfEXku.exe.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.34331486778365
                                                                Encrypted:false
                                                                SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
                                                                MD5:8B21C0FDF91680677FEFC8890882FD1F
                                                                SHA1:E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
                                                                SHA-256:E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
                                                                SHA-512:1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):2232
                                                                Entropy (8bit):5.380805901110357
                                                                Encrypted:false
                                                                SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                                                MD5:16AD599332DD2FF94DA0787D71688B62
                                                                SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                                                SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                                                SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                                                Malicious:false
                                                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qyikzx5.mok.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpzddkm4.qdd.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjf4p4kz.q4f.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xllpthdt.yxi.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\tmp5264.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RFQ#20252502QJ.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1587
                                                                Entropy (8bit):5.11697504169611
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt19xvn:cgergYrFdOFzOzN33ODOiDdKrsuT1Dv
                                                                MD5:1AC8A2505420AE567680D2549CAC6A50
                                                                SHA1:3CF15ECD42257D95908884C133F73666CC3E2D78
                                                                SHA-256:B51C5C1B72DC4C91D7C2A08D803426331992B38B755EE51FDB4FB319D1AC19A0
                                                                SHA-512:DBC923E37A788524471F04CC25DD0674F3CD6CAB1BA2F88F1C4AEE25E46F124750F3989C760C0146813543B6F85AA70DDF5B22EA3EBDFCA8FD35C0F3976E500B
                                                                Malicious:true
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1587
                                                                Entropy (8bit):5.11697504169611
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt19xvn:cgergYrFdOFzOzN33ODOiDdKrsuT1Dv
                                                                MD5:1AC8A2505420AE567680D2549CAC6A50
                                                                SHA1:3CF15ECD42257D95908884C133F73666CC3E2D78
                                                                SHA-256:B51C5C1B72DC4C91D7C2A08D803426331992B38B755EE51FDB4FB319D1AC19A0
                                                                SHA-512:DBC923E37A788524471F04CC25DD0674F3CD6CAB1BA2F88F1C4AEE25E46F124750F3989C760C0146813543B6F85AA70DDF5B22EA3EBDFCA8FD35C0F3976E500B
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RFQ#20252502QJ.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1163776
                                                                Entropy (8bit):7.602079231742838
                                                                Encrypted:false
                                                                SSDEEP:24576:b1u7YJeld7UKsHO787fiQJT1nXk7w19qgkO:b10Nr7mfpJJXk7V
                                                                MD5:B048461F46446B776770BC549B298EF9
                                                                SHA1:C990B9F07D31D4943303F764618B0F494A93A3FF
                                                                SHA-256:CEB2439EDE02213D08DBB5CF64ADE11B7F5558A5234E544A0C53CFA337F6860F
                                                                SHA-512:307285BC3A4C79E27AFA5038E37F0016CA8D196A1E3BA9C25994EA8D6E027EAD70CECEF280B2E6EC055AAEF466AF061DFD325BB30F7157A91E5AD4DB1BE7BD76
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 55%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J...............0.................. ........@.. ....................... ............`.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...................w....&..H..................................................:.......Ch.c<iF.).v...;....Z.......!..L.tb....[.j..$.=..s.P.J...Z..<#-..4.2'.];....o.h....c...iAl/O.pD./........H..&.T..M..e.K. ..>{..Z$...Y.....X.:>...L>`..0<xi.........p....(u!..Q.H x.....,..#...%.B.d.@.Z...W..L..5.E....Eu.p..L....d...Y...s.p..R..&..K.<.J/).<e....Av@$.vQ5q.....LQYO.=.m'.y....Q\...<i..Xp.........:...n.D)c...0A...sF.D..J.J..@.p..,o....X.....$.$.%.h........q.V..

                                                                C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Users\user\Desktop\RFQ#20252502QJ.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.602079231742838
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:RFQ#20252502QJ.exe
                                                                File size:1'163'776 bytes
                                                                MD5:b048461f46446b776770bc549b298ef9
                                                                SHA1:c990b9f07d31d4943303f764618b0f494a93a3ff
                                                                SHA256:ceb2439ede02213d08dbb5cf64ade11b7f5558a5234e544a0c53cfa337f6860f
                                                                SHA512:307285bc3a4c79e27afa5038e37f0016ca8d196a1e3ba9c25994ea8d6e027ead70cecef280b2e6ec055aaef466af061dfd325bb30f7157a91e5ad4db1be7bd76
                                                                SSDEEP:24576:b1u7YJeld7UKsHO787fiQJT1nXk7w19qgkO:b10Nr7mfpJJXk7V
                                                                TLSH:CD35D09C7240F48FC80BC9358965EDB096142CAB4307D60794DB7EAFB96D96B8F052F2
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J................0.................. ........@.. ....................... ............`................................

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x51d60e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x89C54A9C [Tue Mar 31 09:51:24 2043 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x11d5b80x53.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x11e0000x590.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1200000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x11b6140x11b8004c4b6c64af09db8d4e22bb3431577a83False0.8350324142967372data7.607226564215582IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x11e0000x5900x6005462f53b0a87ce0b04bbd81122e4a4ccFalse0.416015625data4.035331478725465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1200000xc0x200f8263c437848d3e841e35a6e061e1f2dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x11e0a00x304data0.4339378238341969
                                                                RT_MANIFEST0x11e3a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                Comments
                                                                CompanyName
                                                                FileDescriptionlab6.1
                                                                FileVersion1.0.0.0
                                                                InternalNameFNsp.exe
                                                                LegalCopyrightCopyright 2021
                                                                LegalTrademarks
                                                                OriginalFilenameFNsp.exe
                                                                ProductNamelab6.1
                                                                ProductVersion1.0.0.0
                                                                Assembly Version1.0.0.0

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Feb 25, 2025 11:49:06.971910954 CET49674443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:06.971915007 CET49675443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:07.065661907 CET49673443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:16.151185989 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.156274080 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.156359911 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.367227077 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.372245073 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.372297049 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.377329111 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.576508045 CET49675443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:16.581151009 CET49674443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:16.676599979 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676654100 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676698923 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676726103 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676721096 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.676743031 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676759958 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676778078 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676784039 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.676798105 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676810980 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.676815033 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676832914 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.676839113 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.676886082 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.681540012 CET49673443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:16.681895018 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.681916952 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.681989908 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.697339058 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.697351933 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.697408915 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.763077021 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763103962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763120890 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763144016 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763158083 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763190031 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.763215065 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.763647079 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763659000 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763672113 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763678074 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763690948 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.763710022 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.763742924 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.764463902 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.764475107 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.764488935 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.764538050 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.765022039 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765033960 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765057087 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765069962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765070915 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.765084982 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765119076 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.765156984 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.765945911 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765959024 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765973091 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.765985966 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.766005993 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.766051054 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.831012011 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.831026077 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.831048012 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.831058025 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.831091881 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.831125975 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.849384069 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849432945 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849447966 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849514008 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.849550962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849595070 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.849698067 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849764109 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849776983 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.849805117 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.849975109 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850022078 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850023031 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.850039005 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850073099 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850085020 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850095987 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850117922 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.850769043 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850788116 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850801945 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850811005 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.850815058 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850828886 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.850838900 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.850874901 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.851310968 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851341963 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851355076 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851382017 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851382971 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.851393938 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851409912 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851423979 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.851439953 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.851469994 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.852195978 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852219105 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852236032 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852247000 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.852288961 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852297068 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.852302074 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852322102 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852329969 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.852345943 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.852370977 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.853132010 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853144884 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853157997 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853171110 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853183031 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853203058 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.853244066 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.853257895 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853271008 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.853301048 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.854094028 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.854105949 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.854119062 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.854162931 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.854187965 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.895049095 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.895081997 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.895092964 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.895103931 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.895139933 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.895174026 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.917289019 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917310953 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917321920 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917377949 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.917423010 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917434931 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917445898 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.917468071 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.917496920 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.935617924 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935646057 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935689926 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.935735941 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935746908 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935759068 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935770035 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935782909 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935791969 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935794115 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.935834885 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.935940027 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935951948 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935964108 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935983896 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.935986996 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.935997009 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936019897 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936029911 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936036110 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.936044931 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936057091 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.936090946 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.936620951 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936634064 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936661959 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936671019 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936672926 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936674118 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.936681032 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936682940 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936685085 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936691046 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.936703920 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.936754942 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937254906 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937268972 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937277079 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937318087 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937340021 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937350988 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937362909 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937372923 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937386036 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937396049 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937397003 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937411070 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937422037 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937428951 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937436104 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.937442064 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.937474966 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938155890 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938169003 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938180923 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938198090 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938218117 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938230038 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938230991 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938244104 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938255072 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938261032 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938267946 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938277960 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938282967 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938293934 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938297033 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.938319921 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.938993931 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939054012 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.939070940 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939081907 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939101934 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939112902 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939121962 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.939129114 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939136982 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.939150095 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939167023 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939181089 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939188957 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939192057 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939213037 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.939239979 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.939940929 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939951897 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939965963 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.939990997 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.940054893 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940068007 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940078974 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940098047 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940100908 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.940109968 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940119982 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.940125942 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940140009 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940151930 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940161943 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.940201998 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.940829039 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.940876961 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.981309891 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981374025 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981384993 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981395960 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981410980 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981417894 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:16.981427908 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.981479883 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:16.981479883 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.003598928 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003611088 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003631115 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003642082 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003653049 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003657103 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.003665924 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003679037 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003712893 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.003808022 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003853083 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003863096 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.003866911 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003915071 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.003936052 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.003962040 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.004004002 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022037983 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022142887 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022309065 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022384882 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022593021 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022605896 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022655010 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022682905 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022692919 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022712946 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022726059 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022775888 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022780895 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022793055 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022813082 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022826910 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022838116 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022847891 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022857904 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022871017 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022871971 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022882938 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022905111 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022905111 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022918940 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022932053 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022943020 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022943974 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022973061 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022974968 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022986889 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.022994995 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.022998095 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023013115 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023020983 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023061991 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023098946 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023118019 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023130894 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023143053 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023163080 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023164034 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023179054 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023183107 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023191929 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023205042 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023217916 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023257971 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023329973 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023350000 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023363113 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023375034 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023385048 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023389101 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023402929 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023427010 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023438931 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023442984 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023457050 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023478985 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023490906 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023497105 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023505926 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023518085 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023530960 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023541927 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023572922 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023581028 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023593903 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023606062 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023617029 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023631096 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023636103 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023643970 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.023648977 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.023669004 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024360895 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024374962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024388075 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024399996 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024413109 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024415970 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024425983 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024441957 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024449110 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024486065 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024523020 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024543047 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024555922 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024569988 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024583101 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024594069 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024595976 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024609089 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024621964 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024622917 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024641037 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024642944 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024651051 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024653912 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024661064 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.024662971 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.024703979 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025269985 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025289059 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025301933 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025321007 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025329113 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025333881 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025346041 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025357008 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025360107 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025377989 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025399923 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025418043 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025435925 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025449038 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025461912 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025475025 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025490046 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025490999 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025518894 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025568962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025582075 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025593042 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025605917 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025618076 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025619030 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025635004 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.025645018 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.025655031 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.027439117 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.027451992 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.027502060 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.067792892 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067820072 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067831993 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067842960 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067854881 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067864895 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.067878962 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067884922 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.067919970 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.067935944 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.089932919 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.089955091 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.089968920 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.089981079 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.089998007 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.089998960 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.090010881 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.090023994 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.090028048 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.090037107 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.090056896 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.090095997 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108210087 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108222961 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108242989 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108257055 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108268023 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108278036 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108283043 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108304024 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108319044 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108330965 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108335018 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108354092 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108366013 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108378887 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108383894 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108395100 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108405113 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108423948 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108427048 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108434916 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108453989 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108467102 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108475924 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108481884 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108489990 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108494043 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108506918 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108526945 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108542919 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108555079 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108555079 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108570099 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108592987 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108598948 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108606100 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108629942 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108633041 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108642101 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108655930 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108675003 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108690023 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108696938 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108702898 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108706951 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108715057 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108716965 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108741999 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108771086 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108803034 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108814955 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108827114 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108839035 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108848095 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108863115 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108870029 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108872890 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108879089 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108886003 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.108896017 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.108908892 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109025955 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109081984 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109093904 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109117985 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109142065 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109150887 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109163046 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109175920 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109190941 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109205961 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109240055 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109251976 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109263897 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109275103 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109275103 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109287024 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109298944 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109308958 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109323978 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109328032 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109334946 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109344006 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109349966 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109364033 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109376907 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109410048 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109422922 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109433889 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109446049 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109467030 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109469891 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109479904 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109494925 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109507084 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109509945 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109519005 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109525919 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109530926 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109544039 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109545946 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109559059 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109568119 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109648943 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109661102 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109671116 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109673977 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109683990 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109707117 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109708071 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109719992 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109730959 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.109743118 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.109755993 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.193371058 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:17.198590040 CET136504970869.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:17.198704958 CET4970813650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.016041994 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.021159887 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.021384001 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.034079075 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.034136057 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039119005 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039201975 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039218903 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039231062 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039280891 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039325953 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039335012 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039376020 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039380074 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039391041 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039403915 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039442062 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039447069 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039469957 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.039501905 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.039518118 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.044274092 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044362068 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.044397116 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044408083 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044461966 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.044533014 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044550896 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044565916 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.044611931 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.044677973 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.086323023 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.086487055 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:18.133976936 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:18.308398008 CET4434970323.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:18.308510065 CET49703443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:18.419420004 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.097018957 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.102139950 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.102216959 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.107180119 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.517096996 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.517097950 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522258043 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522304058 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522316933 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522350073 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522353888 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522367001 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522373915 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522397995 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522411108 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522444963 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522454977 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522504091 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522514105 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522519112 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522566080 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522609949 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522619963 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522641897 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522651911 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522670984 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522691965 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522768021 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522778988 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522800922 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522810936 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522850990 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.522941113 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.522995949 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.523056984 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523072958 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523082972 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523087978 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523103952 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523113966 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523123026 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.523125887 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.523144007 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.523159027 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.523176908 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527369976 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527436972 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527502060 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527512074 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527545929 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527597904 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527604103 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527609110 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527677059 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527677059 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527806044 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527817011 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527827978 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527838945 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527863979 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527889013 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527899027 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527909994 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.527961969 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.527961969 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.528059959 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528074026 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528084993 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528094053 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528167009 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:19.528188944 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528199911 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528259993 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528270960 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528290033 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528300047 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528310061 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528320074 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528341055 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528352022 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528465986 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.528476954 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532586098 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532648087 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532660007 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532744884 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532754898 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532767057 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532881975 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532931089 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.532943010 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.533003092 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.533015013 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.533035040 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.533046961 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:19.533157110 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.035276890 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.042844057 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.043036938 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.049478054 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.217437029 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.284291029 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.353295088 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.361134052 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.366297007 CET136504971169.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.366411924 CET4971113650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.453474045 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.458497047 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.458605051 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.484113932 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.489135981 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.489348888 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.494405985 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.986660957 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987222910 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987252951 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987272978 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987345934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.987345934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.987365007 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987382889 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987399101 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987416029 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987432957 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987438917 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.987464905 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.987479925 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.987525940 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:20.992630005 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.992647886 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.992665052 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:20.992851019 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.010385036 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.010412931 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.010637999 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.074273109 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074304104 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074321032 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074337006 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074356079 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074381113 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.074381113 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.074429989 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.074692011 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074717999 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074734926 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074759960 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074790955 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.074801922 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.074842930 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.075598955 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.075617075 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.075634003 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.075650930 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.075710058 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.075710058 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.076165915 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.076190948 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.076209068 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.076225042 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.076245070 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.076266050 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.076329947 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.079379082 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.079432964 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.079448938 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.079471111 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.079528093 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.135703087 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.135746002 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.135782957 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.136024952 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161287069 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161318064 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161334991 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161350965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161355019 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161371946 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161390066 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161396027 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161407948 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161429882 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161442041 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161447048 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161463976 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161468029 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161484003 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161521912 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161534071 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161626101 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161683083 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161767006 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.161815882 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161941051 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161964893 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.161990881 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162005901 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162009954 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162023067 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162039995 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162051916 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162064075 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162080050 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162095070 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162105083 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162105083 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162111998 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162136078 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162746906 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162764072 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162789106 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162805080 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162822962 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162825108 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162842035 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162853003 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162872076 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162872076 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.162888050 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162904978 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162919998 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162935972 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.162947893 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.163005114 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.163661003 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163686991 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163703918 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163719893 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163741112 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163780928 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.163804054 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163820982 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163836956 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.163882017 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.163971901 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.222490072 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222512007 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222541094 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222558975 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222577095 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222589970 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.222618103 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.222618103 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.222657919 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248064995 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248081923 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248097897 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248114109 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248131037 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248194933 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248231888 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248253107 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248253107 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248253107 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248284101 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248358965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248410940 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248415947 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248428106 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248445988 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248464108 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248501062 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248501062 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248684883 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248701096 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248728037 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248743057 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248759031 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248783112 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248795986 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248796940 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248816013 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248831034 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248848915 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.248863935 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.248904943 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249188900 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249243975 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249259949 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249294043 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249310970 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249313116 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249327898 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249344110 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249361992 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249363899 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249363899 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249378920 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249397993 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249418020 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249425888 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249443054 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249458075 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249475002 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249489069 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.249506950 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249506950 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.249535084 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250119925 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250149012 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250165939 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250180960 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250196934 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250196934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250211954 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250216007 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250242949 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250258923 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250273943 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250279903 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250296116 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250319958 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250319958 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250324965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250341892 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250360012 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250375986 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250391006 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.250410080 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.250471115 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251068115 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251094103 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251111031 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251126051 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251143932 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251146078 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251163006 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251183033 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251190901 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251199961 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251216888 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251219988 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251235008 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251245022 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251272917 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251277924 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251288891 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251306057 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251331091 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251348972 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.251359940 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251470089 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.251960993 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.252021074 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309411049 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309439898 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309458017 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309474945 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309489965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309498072 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309506893 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309529066 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309534073 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309552908 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309568882 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309571981 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309597015 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.309616089 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309652090 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.309652090 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.334908009 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.334944963 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.334970951 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.334989071 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335004091 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335004091 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335024118 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335063934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335063934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335083008 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335099936 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335115910 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335133076 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335210085 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335218906 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335254908 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335270882 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335338116 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335344076 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335361958 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335417986 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335417986 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335449934 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335467100 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335495949 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335505962 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335510015 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335527897 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335545063 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335561991 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335577965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335598946 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335627079 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335777998 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335824966 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335843086 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335861921 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335900068 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335915089 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335917950 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335933924 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335949898 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335961103 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.335966110 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.335994959 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336004972 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336021900 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336035967 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336040020 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336057901 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336074114 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336091042 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336111069 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336127996 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336138964 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336149931 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336174011 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336486101 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336503029 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336519957 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336545944 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336560965 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336577892 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336577892 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336587906 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336606026 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336622000 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336651087 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336666107 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336683989 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336699009 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336718082 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.336724997 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336724997 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336724997 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.336802006 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337138891 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337156057 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337183952 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337201118 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337217093 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337224007 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337243080 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337265015 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337271929 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337290049 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337301970 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337316036 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337342978 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337359905 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337374926 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337392092 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337405920 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337405920 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337408066 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337430000 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337435007 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337445974 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337462902 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337477922 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337496042 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337496996 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337496996 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337513924 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.337567091 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.337567091 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340148926 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340169907 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340187073 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340202093 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340219975 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340234995 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340245008 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340245008 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340251923 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340293884 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340305090 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340321064 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340339899 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340358973 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340367079 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340378046 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340388060 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340395927 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340414047 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340457916 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340486050 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340521097 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340569973 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340585947 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340620995 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340675116 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340692043 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340707064 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340723038 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340739012 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340744019 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340754986 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340773106 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.340795994 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340795994 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.340856075 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416495085 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416522026 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416541100 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416558027 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416577101 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416594028 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416598082 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416598082 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416613102 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416631937 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416650057 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416667938 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416685104 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416702986 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416712046 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416712046 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416712046 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416722059 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416734934 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.416743040 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.416804075 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422116041 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422147036 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422164917 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422173977 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422192097 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422209978 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422230005 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422254086 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422254086 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422259092 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422276020 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422291040 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422308922 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422415972 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422431946 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422447920 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422452927 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422477961 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422493935 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422497988 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422497988 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422513962 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422530890 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422553062 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422561884 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422590017 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422590017 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422590971 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422609091 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422626019 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422653913 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422653913 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422653913 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422673941 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422688961 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422707081 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422719955 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422724009 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422740936 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422744036 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422765017 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422770977 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422782898 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422802925 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422822952 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422826052 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422841072 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422847986 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422857046 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422873020 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422888994 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422897100 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422904968 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422928095 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422934055 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422944069 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422955036 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422972918 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422979116 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.422988892 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.422997952 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423017025 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423032999 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423039913 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423051119 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423069000 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423075914 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423075914 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423086882 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423104048 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423119068 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423119068 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423140049 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423157930 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423170090 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423197031 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423213005 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423228979 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423243046 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423245907 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423264027 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423280001 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423286915 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423291922 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423332930 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423340082 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423361063 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423378944 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423405886 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423420906 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423427105 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423439026 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423455000 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423471928 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423485994 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423489094 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423501015 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423506975 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423525095 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423528910 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423542023 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423551083 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423561096 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423578024 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.423614025 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423614025 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.423755884 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.504539013 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:21.509859085 CET136504971269.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:21.509978056 CET4971213650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.522253036 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.527503967 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.527628899 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.540636063 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.540769100 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.545686007 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.545751095 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.545977116 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546008110 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546060085 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546072960 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.546088934 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546144962 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546148062 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.546174049 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546196938 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546197891 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.546210051 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546221972 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.546222925 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.546286106 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.546286106 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.550822020 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.550982952 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.551296949 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.551310062 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.551352024 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.551378965 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.551392078 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.551405907 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.551439047 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.551449060 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.551505089 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.596741915 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.596856117 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:22.648722887 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:22.909965992 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.554274082 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.559592009 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.559664965 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.564778090 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.969075918 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.969336033 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974140882 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974535942 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974549055 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974596024 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974606037 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974612951 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974653959 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974663019 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974668980 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974715948 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974725008 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974735975 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974766016 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974775076 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974793911 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974813938 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974822998 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974833965 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974844933 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974854946 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974865913 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974922895 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974922895 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.974973917 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974983931 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.974992990 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975003958 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975023985 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975033045 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975034952 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.975071907 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.975203037 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975214005 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975244045 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.975271940 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.975332022 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.979713917 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979724884 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979748964 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979758978 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979777098 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979784012 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.979787111 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979798079 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979813099 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.979842901 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.979842901 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.979938984 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979948997 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979979038 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979988098 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.979999065 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980001926 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.980020046 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980026007 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.980048895 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:23.980068922 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980078936 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980098009 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980107069 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980186939 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980195999 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980237961 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980247974 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980298042 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980308056 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980406046 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980416059 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980459929 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.980525017 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.984772921 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.984956980 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.984967947 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985083103 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985093117 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985141039 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985151052 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985274076 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985284090 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985374928 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985420942 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985488892 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985498905 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:23.985532999 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.488588095 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:24.493638039 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.493733883 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:24.499995947 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.673063040 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.784322023 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:24.805385113 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.817667007 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:24.822935104 CET136504971369.61.84.211192.168.2.5
                                                                Feb 25, 2025 11:49:24.822995901 CET4971313650192.168.2.569.61.84.211
                                                                Feb 25, 2025 11:49:28.597071886 CET49703443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:28.597153902 CET49703443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:28.599981070 CET49748443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:28.600030899 CET4434974823.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:28.600604057 CET49748443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:28.601413965 CET49748443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:28.601432085 CET4434974823.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:28.602143049 CET4434970323.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:28.602174044 CET4434970323.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:29.195791006 CET4434974823.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:29.195863008 CET49748443192.168.2.523.1.237.91
                                                                Feb 25, 2025 11:49:48.348629951 CET4434974823.1.237.91192.168.2.5
                                                                Feb 25, 2025 11:49:48.348715067 CET49748443192.168.2.523.1.237.91

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Feb 25, 2025 11:49:14.755160093 CET4941453192.168.2.51.1.1.1
                                                                Feb 25, 2025 11:49:15.758069038 CET4941453192.168.2.51.1.1.1
                                                                Feb 25, 2025 11:49:16.110635042 CET53494141.1.1.1192.168.2.5
                                                                Feb 25, 2025 11:49:16.110646963 CET53494141.1.1.1192.168.2.5
                                                                Feb 25, 2025 11:49:17.702295065 CET6085453192.168.2.51.1.1.1
                                                                Feb 25, 2025 11:49:17.710520983 CET53608541.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Feb 25, 2025 11:49:14.755160093 CET192.168.2.51.1.1.10x34dStandard query (0)hottie1.duckdns.orgA (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:15.758069038 CET192.168.2.51.1.1.10x34dStandard query (0)hottie1.duckdns.orgA (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:17.702295065 CET192.168.2.51.1.1.10xeddbStandard query (0)233.75.3.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Feb 25, 2025 11:49:16.110635042 CET1.1.1.1192.168.2.50x34dNo error (0)hottie1.duckdns.org69.61.84.211A (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:16.110646963 CET1.1.1.1192.168.2.50x34dNo error (0)hottie1.duckdns.org69.61.84.211A (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:17.710520983 CET1.1.1.1192.168.2.50xeddbName error (3)233.75.3.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                Feb 25, 2025 11:49:23.057380915 CET1.1.1.1192.168.2.50xc8e8No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                Feb 25, 2025 11:49:23.057380915 CET1.1.1.1192.168.2.50xc8e8No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:29.044581890 CET1.1.1.1192.168.2.50x578dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                Feb 25, 2025 11:49:29.044581890 CET1.1.1.1192.168.2.50x578dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:05:49:10
                                                                Start date:25/02/2025
                                                                Path:C:\Users\user\Desktop\RFQ#20252502QJ.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\RFQ#20252502QJ.exe"
                                                                Imagebase:0x350000
                                                                File size:1'163'776 bytes
                                                                MD5 hash:B048461F46446B776770BC549B298EF9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:05:49:12
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe"
                                                                Imagebase:0xd80000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:05:49:12
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:05:49:12
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp5264.tmp"
                                                                Imagebase:0x530000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:05:49:12
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:05:49:13
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                Imagebase:0x440000
                                                                File size:262'432 bytes
                                                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:05:49:13
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                Imagebase:0xf20000
                                                                File size:262'432 bytes
                                                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2200998451.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2193405275.00000000032F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.2193405275.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:05:49:14
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff6ef0c0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:05:49:15
                                                                Start date:25/02/2025
                                                                Path:C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\lNIfJeZzNfEXku.exe
                                                                Imagebase:0x560000
                                                                File size:1'163'776 bytes
                                                                MD5 hash:B048461F46446B776770BC549B298EF9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 55%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:05:49:18
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lNIfJeZzNfEXku" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABE.tmp"
                                                                Imagebase:0x530000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:05:49:18
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:05:49:18
                                                                Start date:25/02/2025
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                Imagebase:0xd40000
                                                                File size:262'432 bytes
                                                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.2240042344.00000000031AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2240042344.0000000003277000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >